diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2019-12-26 14:16:15 +0100 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2019-12-26 14:17:36 +0100 |
| commit | 77b6c3cd06a679140fb5a44f81f904497007f333 (patch) | |
| tree | e8ed1606b326cdafba719cc2a14c527c1b601f2e /nixos/modules | |
| parent | 602bccd1a8262d4e6bd787838d21fc3c2c1c50ba (diff) | |
| parent | 4d2dd1554618831f0a5b159b8a4dff86612c02a9 (diff) | |
| download | nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.gz nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.bz2 nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.lz nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.xz nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.zst nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.zip | |
Merge remote-tracking branch 'origin/master' into gcc-9
Diffstat (limited to 'nixos/modules')
240 files changed, 5188 insertions, 3344 deletions
diff --git a/nixos/modules/config/console.nix b/nixos/modules/config/console.nix new file mode 100644 index 00000000000..f662ed62d31 --- /dev/null +++ b/nixos/modules/config/console.nix @@ -0,0 +1,203 @@ + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.console; + + makeColor = i: concatMapStringsSep "," (x: "0x" + substring (2*i) 2 x); + + isUnicode = hasSuffix "UTF-8" (toUpper config.i18n.defaultLocale); + + optimizedKeymap = pkgs.runCommand "keymap" { + nativeBuildInputs = [ pkgs.buildPackages.kbd ]; + LOADKEYS_KEYMAP_PATH = "${consoleEnv}/share/keymaps/**"; + preferLocalBuild = true; + } '' + loadkeys -b ${optionalString isUnicode "-u"} "${cfg.keyMap}" > $out + ''; + + # Sadly, systemd-vconsole-setup doesn't support binary keymaps. + vconsoleConf = pkgs.writeText "vconsole.conf" '' + KEYMAP=${cfg.keyMap} + FONT=${cfg.font} + ''; + + consoleEnv = pkgs.buildEnv { + name = "console-env"; + paths = [ pkgs.kbd ] ++ cfg.packages; + pathsToLink = [ + "/share/consolefonts" + "/share/consoletrans" + "/share/keymaps" + "/share/unimaps" + ]; + }; + + setVconsole = !config.boot.isContainer; +in + +{ + ###### interface + + options.console = { + font = mkOption { + type = types.str; + default = "Lat2-Terminus16"; + example = "LatArCyrHeb-16"; + description = '' + The font used for the virtual consoles. Leave empty to use + whatever the <command>setfont</command> program considers the + default font. + ''; + }; + + keyMap = mkOption { + type = with types; either str path; + default = "us"; + example = "fr"; + description = '' + The keyboard mapping table for the virtual consoles. + ''; + }; + + colors = mkOption { + type = types.listOf types.str; + default = []; + example = [ + "002b36" "dc322f" "859900" "b58900" + "268bd2" "d33682" "2aa198" "eee8d5" + "002b36" "cb4b16" "586e75" "657b83" + "839496" "6c71c4" "93a1a1" "fdf6e3" + ]; + description = '' + The 16 colors palette used by the virtual consoles. + Leave empty to use the default colors. + Colors must be in hexadecimal format and listed in + order from color 0 to color 15. + ''; + + }; + + packages = mkOption { + type = types.listOf types.package; + default = with pkgs.kbdKeymaps; [ dvp neo ]; + defaultText = ''with pkgs.kbdKeymaps; [ dvp neo ]''; + description = '' + List of additional packages that provide console fonts, keymaps and + other resources for virtual consoles use. + ''; + }; + + extraTTYs = mkOption { + default = []; + type = types.listOf types.str; + example = ["tty8" "tty9"]; + description = '' + TTY (virtual console) devices, in addition to the consoles on + which mingetty and syslogd run, that must be initialised. + Only useful if you have some program that you want to run on + some fixed console. For example, the NixOS installation CD + opens the manual in a web browser on console 7, so it sets + <option>console.extraTTYs</option> to <literal>["tty7"]</literal>. + ''; + }; + + useXkbConfig = mkOption { + type = types.bool; + default = false; + description = '' + If set, configure the virtual console keymap from the xserver + keyboard settings. + ''; + }; + + earlySetup = mkOption { + default = false; + type = types.bool; + description = '' + Enable setting virtual console options as early as possible (in initrd). + ''; + }; + + }; + + + ###### implementation + + config = mkMerge [ + { console.keyMap = with config.services.xserver; + mkIf cfg.useXkbConfig + (pkgs.runCommand "xkb-console-keymap" { preferLocalBuild = true; } '' + '${pkgs.ckbcomp}/bin/ckbcomp' -model '${xkbModel}' -layout '${layout}' \ + -option '${xkbOptions}' -variant '${xkbVariant}' > "$out" + ''); + } + + (mkIf (!setVconsole) { + systemd.services.systemd-vconsole-setup.enable = false; + }) + + (mkIf setVconsole (mkMerge [ + { environment.systemPackages = [ pkgs.kbd ]; + + # Let systemd-vconsole-setup.service do the work of setting up the + # virtual consoles. + environment.etc."vconsole.conf".source = vconsoleConf; + # Provide kbd with additional packages. + environment.etc.kbd.source = "${consoleEnv}/share"; + + boot.initrd.preLVMCommands = mkBefore '' + kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console + printf "\033%%${if isUnicode then "G" else "@"}" >> /dev/console + loadkmap < ${optimizedKeymap} + + ${optionalString cfg.earlySetup '' + setfont -C /dev/console $extraUtils/share/consolefonts/font.psf + ''} + ''; + + systemd.services.systemd-vconsole-setup = + { before = [ "display-manager.service" ]; + after = [ "systemd-udev-settle.service" ]; + restartTriggers = [ vconsoleConf consoleEnv ]; + }; + } + + (mkIf (cfg.colors != []) { + boot.kernelParams = [ + "vt.default_red=${makeColor 0 cfg.colors}" + "vt.default_grn=${makeColor 1 cfg.colors}" + "vt.default_blu=${makeColor 2 cfg.colors}" + ]; + }) + + (mkIf cfg.earlySetup { + boot.initrd.extraUtilsCommands = '' + mkdir -p $out/share/consolefonts + ${if substring 0 1 cfg.font == "/" then '' + font="${cfg.font}" + '' else '' + font="$(echo ${consoleEnv}/share/consolefonts/${cfg.font}.*)" + ''} + if [[ $font == *.gz ]]; then + gzip -cd $font > $out/share/consolefonts/font.psf + else + cp -L $font $out/share/consolefonts/font.psf + fi + ''; + }) + ])) + ]; + + imports = [ + (mkRenamedOptionModule [ "i18n" "consoleFont" ] [ "console" "font" ]) + (mkRenamedOptionModule [ "i18n" "consoleKeyMap" ] [ "console" "keyMap" ]) + (mkRenamedOptionModule [ "i18n" "consoleColors" ] [ "console" "colors" ]) + (mkRenamedOptionModule [ "i18n" "consolePackages" ] [ "console" "packages" ]) + (mkRenamedOptionModule [ "i18n" "consoleUseXkbConfig" ] [ "console" "useXkbConfig" ]) + (mkRenamedOptionModule [ "boot" "earlyVconsoleSetup" ] [ "console" "earlySetup" ]) + (mkRenamedOptionModule [ "boot" "extraTTYs" ] [ "console" "extraTTYs" ]) + ]; +} diff --git a/nixos/modules/config/fonts/corefonts.nix b/nixos/modules/config/fonts/corefonts.nix deleted file mode 100644 index b9f69879a10..00000000000 --- a/nixos/modules/config/fonts/corefonts.nix +++ /dev/null @@ -1,36 +0,0 @@ -# This module is deprecated, since you can just say ‘fonts.fonts = [ -# pkgs.corefonts ];’ instead. - -{ config, lib, pkgs, ... }: - -with lib; - -{ - - options = { - - fonts = { - - enableCoreFonts = mkOption { - visible = false; - default = false; - description = '' - Whether to include Microsoft's proprietary Core Fonts. These fonts - are redistributable, but only verbatim, among other restrictions. - See <link xlink:href="http://corefonts.sourceforge.net/eula.htm"/> - for details. - ''; - }; - - }; - - }; - - - config = mkIf config.fonts.enableCoreFonts { - - fonts.fonts = [ pkgs.corefonts ]; - - }; - -} diff --git a/nixos/modules/config/fonts/fontconfig-ultimate.nix b/nixos/modules/config/fonts/fontconfig-ultimate.nix deleted file mode 100644 index 84d90899dff..00000000000 --- a/nixos/modules/config/fonts/fontconfig-ultimate.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let cfg = config.fonts.fontconfig.ultimate; - - latestVersion = pkgs.fontconfig.configVersion; - - # The configuration to be included in /etc/font/ - confPkg = pkgs.runCommand "font-ultimate-conf" { preferLocalBuild = true; } '' - support_folder=$out/etc/fonts/conf.d - latest_folder=$out/etc/fonts/${latestVersion}/conf.d - - mkdir -p $support_folder - mkdir -p $latest_folder - - # fontconfig ultimate substitutions - ${optionalString (cfg.substitutions != "none") '' - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \ - $support_folder - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \ - $latest_folder - ''} - - # fontconfig ultimate various configuration files - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \ - $support_folder - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \ - $latest_folder - ''; - -in -{ - - options = { - - fonts = { - - fontconfig = { - - ultimate = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable fontconfig-ultimate settings (formerly known as - Infinality). Besides the customizable settings in this NixOS - module, fontconfig-ultimate also provides many font-specific - rendering tweaks. - ''; - }; - - substitutions = mkOption { - type = types.enum ["free" "combi" "ms" "none"]; - default = "free"; - description = '' - Font substitutions to replace common Type 1 fonts with nicer - TrueType fonts. <literal>free</literal> uses free fonts, - <literal>ms</literal> uses Microsoft fonts, - <literal>combi</literal> uses a combination, and - <literal>none</literal> disables the substitutions. - ''; - }; - - preset = mkOption { - type = types.enum ["ultimate1" "ultimate2" "ultimate3" "ultimate4" "ultimate5" "osx" "windowsxp"]; - default = "ultimate3"; - description = '' - FreeType rendering settings preset. Any of the presets may be - customized by setting environment variables. - ''; - }; - }; - }; - }; - - }; - - config = mkIf (config.fonts.fontconfig.enable && cfg.enable) { - - fonts.fontconfig.confPackages = [ confPkg ]; - environment.variables.INFINALITY_FT = cfg.preset; - - }; - -} diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 8f227c42326..3bfa1893a8b 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -264,6 +264,16 @@ let }; in { + imports = [ + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "fonts" "fontconfig" "allowBitmaps" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowType1" ] [ "fonts" "fontconfig" "allowType1" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) + (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "") + (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "") + (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "") + ]; options = { diff --git a/nixos/modules/config/fonts/fonts.nix b/nixos/modules/config/fonts/fonts.nix index abb806b601a..b9bae44b2f9 100644 --- a/nixos/modules/config/fonts/fonts.nix +++ b/nixos/modules/config/fonts/fonts.nix @@ -3,6 +3,9 @@ with lib; { + imports = [ + (mkRemovedOptionModule [ "fonts" "enableCoreFonts" ] "Use fonts.fonts = [ pkgs.corefonts ]; instead.") + ]; options = { diff --git a/nixos/modules/config/i18n.nix b/nixos/modules/config/i18n.nix index d0db8fedecd..45691f4839c 100644 --- a/nixos/modules/config/i18n.nix +++ b/nixos/modules/config/i18n.nix @@ -58,62 +58,6 @@ with lib; ''; }; - consolePackages = mkOption { - type = types.listOf types.package; - default = with pkgs.kbdKeymaps; [ dvp neo ]; - defaultText = ''with pkgs.kbdKeymaps; [ dvp neo ]''; - description = '' - List of additional packages that provide console fonts, keymaps and - other resources. - ''; - }; - - consoleFont = mkOption { - type = types.str; - default = "Lat2-Terminus16"; - example = "LatArCyrHeb-16"; - description = '' - The font used for the virtual consoles. Leave empty to use - whatever the <command>setfont</command> program considers the - default font. - ''; - }; - - consoleUseXkbConfig = mkOption { - type = types.bool; - default = false; - description = '' - If set, configure the console keymap from the xserver keyboard - settings. - ''; - }; - - consoleKeyMap = mkOption { - type = with types; either str path; - default = "us"; - example = "fr"; - description = '' - The keyboard mapping table for the virtual consoles. - ''; - }; - - consoleColors = mkOption { - type = types.listOf types.str; - default = []; - example = [ - "002b36" "dc322f" "859900" "b58900" - "268bd2" "d33682" "2aa198" "eee8d5" - "002b36" "cb4b16" "586e75" "657b83" - "839496" "6c71c4" "93a1a1" "fdf6e3" - ]; - description = '' - The 16 colors palette used by the virtual consoles. - Leave empty to use the default colors. - Colors must be in hexadecimal format and listed in - order from color 0 to color 15. - ''; - }; - }; }; @@ -123,13 +67,6 @@ with lib; config = { - i18n.consoleKeyMap = with config.services.xserver; - mkIf config.i18n.consoleUseXkbConfig - (pkgs.runCommand "xkb-console-keymap" { preferLocalBuild = true; } '' - '${pkgs.ckbcomp}/bin/ckbcomp' -model '${xkbModel}' -layout '${layout}' \ - -option '${xkbOptions}' -variant '${xkbVariant}' > "$out" - ''); - environment.systemPackages = optional (config.i18n.supportedLocales != []) config.i18n.glibcLocales; diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index a89667ea221..81427bb8ee6 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -16,6 +16,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "networking" "hostConf" ] "Use environment.etc.\"host.conf\" instead.") + ]; options = { @@ -41,19 +44,6 @@ in ''; }; - networking.hostConf = lib.mkOption { - type = types.lines; - default = "multi on"; - example = '' - multi on - reorder on - trim lan - ''; - description = '' - The contents of <filename>/etc/host.conf</filename>. See also <citerefentry><refentrytitle>host.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. - ''; - }; - networking.timeServers = mkOption { default = [ "0.nixos.pool.ntp.org" @@ -186,7 +176,9 @@ in ''; # /etc/host.conf: resolver configuration file - "host.conf".text = cfg.hostConf; + "host.conf".text = '' + multi on + ''; } // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") { # /etc/rpc: RPC program numbers. diff --git a/nixos/modules/config/qt5.nix b/nixos/modules/config/qt5.nix index 7de1c0f5d55..d9dec74f155 100644 --- a/nixos/modules/config/qt5.nix +++ b/nixos/modules/config/qt5.nix @@ -10,7 +10,7 @@ let isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita"; packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ] - else if isQtStyle then [ pkgs.qtstyleplugins ] + else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ] else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible."; in diff --git a/nixos/modules/config/resolvconf.nix b/nixos/modules/config/resolvconf.nix index 406c6a7ac32..7d2f252a888 100644 --- a/nixos/modules/config/resolvconf.nix +++ b/nixos/modules/config/resolvconf.nix @@ -33,6 +33,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "networking" "dnsSingleRequest" ] [ "networking" "resolvconf" "dnsSingleRequest" ]) + (mkRenamedOptionModule [ "networking" "dnsExtensionMechanism" ] [ "networking" "resolvconf" "dnsExtensionMechanism" ]) + (mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ]) + (mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ]) + ]; options = { diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index b79e16cd797..a0a20228a74 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -122,7 +122,7 @@ in description = '' Include ~/bin/ in $PATH. ''; - default = true; + default = false; type = types.bool; }; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index ae3bdeb00e6..141e43fec39 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -403,6 +403,10 @@ let filter types.shellPackage.check shells; in { + imports = [ + (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) + (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) + ]; ###### interface diff --git a/nixos/modules/config/vpnc.nix b/nixos/modules/config/vpnc.nix deleted file mode 100644 index 356e007c0a3..00000000000 --- a/nixos/modules/config/vpnc.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, lib, ... }: - -with lib; - -let - cfg = config.networking.vpnc; - mkServiceDef = name: value: - { - name = "vpnc/${name}.conf"; - value = { text = value; }; - }; - -in -{ - options = { - networking.vpnc = { - services = mkOption { - type = types.attrsOf types.str; - default = {}; - example = literalExample '' - { test = ''' - IPSec gateway 192.168.1.1 - IPSec ID someID - IPSec secret secretKey - Xauth username name - Xauth password pass - '''; - } - ''; - description = - '' - The names of cisco VPNs and their associated definitions - ''; - }; - }; - }; - - config.environment.etc = mapAttrs' mkServiceDef cfg.services; -} - - diff --git a/nixos/modules/config/xdg/portal.nix b/nixos/modules/config/xdg/portal.nix index bdbbfda2bb4..95fa8e05fa3 100644 --- a/nixos/modules/config/xdg/portal.nix +++ b/nixos/modules/config/xdg/portal.nix @@ -3,6 +3,10 @@ with lib; { + imports = [ + (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) + ]; + options.xdg.portal = { enable = mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>"//{ diff --git a/nixos/modules/config/xdg/sounds.nix b/nixos/modules/config/xdg/sounds.nix index 148240d631c..14d6340fc33 100644 --- a/nixos/modules/config/xdg/sounds.nix +++ b/nixos/modules/config/xdg/sounds.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; { @@ -14,6 +14,10 @@ with lib; }; config = mkIf config.xdg.sounds.enable { + environment.systemPackages = [ + pkgs.sound-theme-freedesktop + ]; + environment.pathsToLink = [ "/share/sounds" ]; diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 534fcc34276..16be8bcfdd7 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -6,6 +6,14 @@ let cfg = config.hardware; in { + imports = [ + (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + ]; + ###### interface options = { diff --git a/nixos/modules/hardware/ckb-next.nix b/nixos/modules/hardware/ckb-next.nix index 20b2756d8b2..fe0ca9f26d5 100644 --- a/nixos/modules/hardware/ckb-next.nix +++ b/nixos/modules/hardware/ckb-next.nix @@ -7,6 +7,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "hardware" "ckb" "enable" ] [ "hardware" "ckb-next" "enable" ]) + (mkRenamedOptionModule [ "hardware" "ckb" "package" ] [ "hardware" "ckb-next" "package" ]) + ]; + options.hardware.ckb-next = { enable = mkEnableOption "the Corsair keyboard/mouse driver"; diff --git a/nixos/modules/hardware/ksm.nix b/nixos/modules/hardware/ksm.nix index 99d46c25236..0938dbdc110 100644 --- a/nixos/modules/hardware/ksm.nix +++ b/nixos/modules/hardware/ksm.nix @@ -6,6 +6,10 @@ let cfg = config.hardware.ksm; in { + imports = [ + (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) + ]; + options.hardware.ksm = { enable = mkEnableOption "Kernel Same-Page Merging"; sleep = mkOption { diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index 57cac56bd8a..89dc5008df5 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -31,6 +31,11 @@ let in { + + imports = [ + (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) + ]; + options = { hardware.opengl = { diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 3ab2afc9740..fcb30187fa2 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -75,7 +75,7 @@ in Note that this configuration will only be successful when a display manager for which the <option>services.xserver.displayManager.setupCommands</option> - option is supported is used; notably, SLiM is not supported. + option is supported is used. ''; }; @@ -111,9 +111,10 @@ in config = mkIf enabled { assertions = [ { - assertion = with config.services.xserver.displayManager; gdm.enable -> !gdm.wayland; - message = "NVIDIA drivers don't support wayland, set services.xserver.displayManager.gdm.wayland=false"; + assertion = with config.services.xserver.displayManager; gdm.nvidiaWayland -> cfg.modesetting.enable; + message = "You cannot use wayland with GDM without modesetting enabled for NVIDIA drivers, set `hardware.nvidia.modesetting.enable = true`"; } + { assertion = !optimusCfg.enable || (optimusCfg.nvidiaBusId != "" && optimusCfg.intelBusId != ""); diff --git a/nixos/modules/i18n/input-method/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix index 8109ef76c40..810e1643d31 100644 --- a/nixos/modules/i18n/input-method/ibus.nix +++ b/nixos/modules/i18n/input-method/ibus.nix @@ -27,6 +27,10 @@ let }; in { + imports = [ + (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ]) + ]; + options = { i18n.inputMethod.ibus = { engines = mkOption { @@ -53,9 +57,15 @@ in config = mkIf (config.i18n.inputMethod.enabled == "ibus") { i18n.inputMethod.package = ibusPackage; + environment.systemPackages = [ + ibusAutostart + ]; + # Without dconf enabled it is impossible to use IBus - environment.systemPackages = with pkgs; [ - gnome3.dconf ibusAutostart + programs.dconf.enable = true; + + services.dbus.packages = [ + ibusAutostart ]; environment.variables = { diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix index 719ba5ffb12..e0b558dcb0d 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix @@ -22,17 +22,7 @@ with lib; }); ''; - services.xserver = { - enable = true; - - # Automatically login as nixos. - displayManager.slim = { - enable = true; - defaultUser = "nixos"; - autoLogin = true; - }; - - }; + services.xserver.enable = true; # Provide networkmanager for easy wireless configuration. networking.networkmanager.enable = true; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 0b813bbf37b..23c3426bff0 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -10,8 +10,6 @@ with lib; services.xserver.desktopManager.gnome3.enable = true; - services.xserver.displayManager.slim.enable = mkForce false; - # Auto-login as root. services.xserver.displayManager.gdm.autoLogin = { enable = true; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix index 1dc7920ff64..e00d3f7535b 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix @@ -11,7 +11,15 @@ with lib; services.xserver = { desktopManager.plasma5 = { enable = true; - enableQt4Support = false; + }; + + # Automatically login as nixos. + displayManager.sddm = { + enable = true; + autoLogin = { + enable = true; + user = "nixos"; + }; }; }; diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 009f1e2c543..11319e5f4f8 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -603,9 +603,6 @@ in { source = config.system.build.squashfsStore; target = "/nix-store.squashfs"; } - { source = config.isoImage.efiSplashImage; - target = "/EFI/boot/efi-background.png"; - } { source = config.isoImage.splashImage; target = "/isolinux/background.png"; } @@ -630,8 +627,8 @@ in { source = "${efiDir}/EFI"; target = "/EFI"; } - { source = pkgs.writeText "loopback.cfg" "source /EFI/boot/grub.cfg"; - target = "/boot/grub/loopback.cfg"; + { source = (pkgs.writeTextDir "grub/loopback.cfg" "source /EFI/boot/grub.cfg") + "/grub"; + target = "/boot/grub"; } ] ++ optionals (config.boot.loader.grub.memtest86.enable && canx86BiosBoot) [ { source = "${pkgs.memtest86plus}/memtest.bin"; @@ -641,6 +638,10 @@ in { source = config.isoImage.grubTheme; target = "/EFI/boot/grub-theme"; } + ] ++ [ + { source = config.isoImage.efiSplashImage; + target = "/EFI/boot/efi-background.png"; + } ]; boot.loader.timeout = 10; diff --git a/nixos/modules/installer/cd-dvd/sd-image.nix b/nixos/modules/installer/cd-dvd/sd-image.nix index d510f3b2daf..901c60befb6 100644 --- a/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixos/modules/installer/cd-dvd/sd-image.nix @@ -18,6 +18,7 @@ with lib; let rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({ inherit (config.sdImage) storePaths; + compressImage = true; populateImageCommands = config.sdImage.populateRootCommands; volumeLabel = "NIXOS_SD"; } // optionalAttrs (config.sdImage.rootPartitionUUID != null) { @@ -128,10 +129,11 @@ in sdImage.storePaths = [ config.system.build.toplevel ]; - system.build.sdImage = pkgs.callPackage ({ stdenv, dosfstools, e2fsprogs, mtools, libfaketime, utillinux, bzip2 }: stdenv.mkDerivation { + system.build.sdImage = pkgs.callPackage ({ stdenv, dosfstools, e2fsprogs, + mtools, libfaketime, utillinux, bzip2, zstd }: stdenv.mkDerivation { name = config.sdImage.imageName; - nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime utillinux bzip2 ]; + nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime utillinux bzip2 zstd ]; inherit (config.sdImage) compressImage; @@ -140,13 +142,20 @@ in export img=$out/sd-image/${config.sdImage.imageName} echo "${pkgs.stdenv.buildPlatform.system}" > $out/nix-support/system - echo "file sd-image $img" >> $out/nix-support/hydra-build-products + if test -n "$compressImage"; then + echo "file sd-image $img.bz2" >> $out/nix-support/hydra-build-products + else + echo "file sd-image $img" >> $out/nix-support/hydra-build-products + fi + + echo "Decompressing rootfs image" + zstd -d --no-progress "${rootfsImage}" -o ./root-fs.img # Gap in front of the first partition, in MiB gap=8 # Create the image file sized to fit /boot/firmware and /, plus slack for the gap. - rootSizeBlocks=$(du -B 512 --apparent-size ${rootfsImage} | awk '{ print $1 }') + rootSizeBlocks=$(du -B 512 --apparent-size ./root-fs.img | awk '{ print $1 }') firmwareSizeBlocks=$((${toString config.sdImage.firmwareSize} * 1024 * 1024 / 512)) imageSize=$((rootSizeBlocks * 512 + firmwareSizeBlocks * 512 + gap * 1024 * 1024)) truncate -s $imageSize $img @@ -164,7 +173,7 @@ in # Copy the rootfs into the SD image eval $(partx $img -o START,SECTORS --nr 2 --pairs) - dd conv=notrunc if=${rootfsImage} of=$img seek=$START count=$SECTORS + dd conv=notrunc if=./root-fs.img of=$img seek=$START count=$SECTORS # Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img eval $(partx $img -o START,SECTORS --nr 1 --pairs) diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index f2ffe61c42c..629c56814a1 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -335,6 +335,9 @@ if (@swaps) { next unless -e $swapFilename; my $dev = findStableDevPath $swapFilename; if ($swapType =~ "partition") { + # zram devices are more likely created by configuration.nix, so + # ignore them here + next if ($swapFilename =~ /^\/dev\/zram/); push @swapDevices, "{ device = \"$dev\"; }"; } elsif ($swapType =~ "file") { # swap *files* are more likely specified in configuration.nix, so @@ -498,7 +501,7 @@ if (-f $fb_modes_file && -r $fb_modes_file) { my $console_width = $1, my $console_height = $2; if ($console_width > 1920) { push @attrs, "# High-DPI console"; - push @attrs, 'i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";'; + push @attrs, 'console.font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";'; } } diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index 891f374df53..c53dc1000c4 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -90,6 +90,11 @@ while [ "$#" -gt 0 ]; do targetHost="$1" shift 1 ;; + --use-remote-sudo) + # note the trailing space + maybeSudo="sudo " + shift 1 + ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -97,10 +102,6 @@ while [ "$#" -gt 0 ]; do esac done -if [ -n "$SUDO_USER" ]; then - maybeSudo="sudo " -fi - if [ -z "$buildHost" -a -n "$targetHost" ]; then buildHost="$targetHost" fi diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix index deecb005270..820553270e3 100644 --- a/nixos/modules/misc/documentation.nix +++ b/nixos/modules/misc/documentation.nix @@ -67,6 +67,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) + (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) + (mkRenamedOptionModule [ "services" "nixosManual" "enable" ] [ "documentation" "nixos" "enable" ]) + ]; options = { diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 3e8a5b07a5e..bedd87a368e 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -11,6 +11,9 @@ { lib, ... }: +let + inherit (lib) types; +in { options = { @@ -19,6 +22,7 @@ description = '' The user IDs used in NixOS. ''; + type = types.attrsOf types.int; }; ids.gids = lib.mkOption { @@ -26,6 +30,7 @@ description = '' The group IDs used in NixOS. ''; + type = types.attrsOf types.int; }; }; @@ -75,8 +80,8 @@ #kdm = 39; # dropped in 17.03 #ghostone = 40; # dropped in 18.03 git = 41; - fourstore = 42; - fourstorehttp = 43; + #fourstore = 42; # dropped in 20.03 + #fourstorehttp = 43; # dropped in 20.03 virtuoso = 44; rtkit = 45; dovecot2 = 46; @@ -128,7 +133,7 @@ tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice. firebird = 95; #keys = 96; # unused - haproxy = 97; + #haproxy = 97; # DynamicUser as of 2019-11-08 mongodb = 98; openldap = 99; #users = 100; # unused @@ -443,7 +448,7 @@ #tcpcryptd = 93; # unused firebird = 95; keys = 96; - haproxy = 97; + #haproxy = 97; # DynamicUser as of 2019-11-08 #mongodb = 98; # unused openldap = 99; munin = 102; diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix index 737ed5c0a3f..552535c253e 100644 --- a/nixos/modules/misc/locate.nix +++ b/nixos/modules/misc/locate.nix @@ -7,6 +7,11 @@ let isMLocate = hasPrefix "mlocate" cfg.locate.name; isFindutils = hasPrefix "findutils" cfg.locate.name; in { + imports = [ + (mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ]) + (mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" ) + ]; + options.services.locate = with types; { enable = mkOption { type = bool; diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 773724ffbd5..0540b493003 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -10,6 +10,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "system" "nixosVersion" ] [ "system" "nixos" "version" ]) + (mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ]) + (mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ]) + (mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ]) + ]; options.system = { @@ -92,7 +98,7 @@ in VERSION="${cfg.version} (${cfg.codeName})" VERSION_CODENAME=${toLower cfg.codeName} VERSION_ID="${cfg.version}" - PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})" + PRETTY_NAME="NixOS ${cfg.release} (${cfg.codeName})" LOGO="nix-snowflake" HOME_URL="https://nixos.org/" DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html" diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index cacb4b13f41..914f9a878b0 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1,9 +1,7 @@ [ ./config/debug-info.nix - ./config/fonts/corefonts.nix ./config/fonts/fontconfig.nix ./config/fonts/fontconfig-penultimate.nix - ./config/fonts/fontconfig-ultimate.nix ./config/fonts/fontdir.nix ./config/fonts/fonts.nix ./config/fonts/ghostscript.nix @@ -13,6 +11,7 @@ ./config/xdg/mime.nix ./config/xdg/portal.nix ./config/appstream.nix + ./config/console.nix ./config/xdg/sounds.nix ./config/gtk/gtk-icon-cache.nix ./config/gnu.nix @@ -37,7 +36,6 @@ ./config/terminfo.nix ./config/unix-odbc-drivers.nix ./config/users-groups.nix - ./config/vpnc.nix ./config/vte.nix ./config/zram.nix ./hardware/acpilight.nix @@ -257,8 +255,6 @@ ./services/continuous-integration/jenkins/default.nix ./services/continuous-integration/jenkins/job-builder.nix ./services/continuous-integration/jenkins/slave.nix - ./services/databases/4store-endpoint.nix - ./services/databases/4store.nix ./services/databases/aerospike.nix ./services/databases/cassandra.nix ./services/databases/clickhouse.nix @@ -310,6 +306,7 @@ ./services/desktops/gnome3/sushi.nix ./services/desktops/gnome3/tracker.nix ./services/desktops/gnome3/tracker-miners.nix + ./services/desktops/neard.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/system-config-printer.nix ./services/desktops/telepathy.nix @@ -318,6 +315,7 @@ ./services/development/bloop.nix ./services/development/hoogle.nix ./services/development/jupyter/default.nix + ./services/development/lorri.nix ./services/editors/emacs.nix ./services/editors/infinoted.nix ./services/games/factorio.nix @@ -446,6 +444,7 @@ ./services/misc/logkeys.nix ./services/misc/leaps.nix ./services/misc/lidarr.nix + ./services/misc/mame.nix ./services/misc/mathics.nix ./services/misc/matrix-synapse.nix ./services/misc/mbpfan.nix @@ -520,7 +519,6 @@ ./services/monitoring/munin.nix ./services/monitoring/nagios.nix ./services/monitoring/netdata.nix - ./services/monitoring/osquery.nix ./services/monitoring/prometheus/default.nix ./services/monitoring/prometheus/alertmanager.nix ./services/monitoring/prometheus/exporters.nix @@ -540,7 +538,6 @@ ./services/monitoring/zabbix-agent.nix ./services/monitoring/zabbix-proxy.nix ./services/monitoring/zabbix-server.nix - ./services/network-filesystems/beegfs.nix ./services/network-filesystems/cachefilesd.nix ./services/network-filesystems/davfs2.nix ./services/network-filesystems/drbd.nix @@ -561,6 +558,7 @@ ./services/network-filesystems/yandex-disk.nix ./services/network-filesystems/xtreemfs.nix ./services/network-filesystems/ceph.nix + ./services/networking/3proxy.nix ./services/networking/amuled.nix ./services/networking/aria2.nix ./services/networking/asterisk.nix @@ -620,7 +618,6 @@ ./services/networking/iodine.nix ./services/networking/iperf3.nix ./services/networking/ircd-hybrid/default.nix - ./services/networking/jormungandr.nix ./services/networking/iwd.nix ./services/networking/keepalived/default.nix ./services/networking/keybase.nix @@ -698,6 +695,7 @@ ./services/networking/sniproxy.nix ./services/networking/smokeping.nix ./services/networking/softether.nix + ./services/networking/spacecookie.nix ./services/networking/spiped.nix ./services/networking/squid.nix ./services/networking/sslh.nix @@ -726,6 +724,7 @@ ./services/networking/tvheadend.nix ./services/networking/unbound.nix ./services/networking/unifi.nix + ./services/networking/v2ray.nix ./services/networking/vsftpd.nix ./services/networking/wakeonlan.nix ./services/networking/websockify.nix @@ -817,6 +816,7 @@ ./services/web-apps/restya-board.nix ./services/web-apps/tt-rss.nix ./services/web-apps/trac.nix + ./services/web-apps/trilium.nix ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix ./services/web-apps/virtlyst.nix @@ -844,6 +844,7 @@ ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix + ./services/web-servers/ttyd.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix ./services/web-servers/zope2.nix @@ -870,6 +871,7 @@ ./services/x11/hardware/digimend.nix ./services/x11/hardware/cmt.nix ./services/x11/gdk-pixbuf.nix + ./services/x11/imwheel.nix ./services/x11/redshift.nix ./services/x11/urxvtd.nix ./services/x11/window-managers/awesome.nix @@ -940,7 +942,6 @@ ./tasks/filesystems/vfat.nix ./tasks/filesystems/xfs.nix ./tasks/filesystems/zfs.nix - ./tasks/kbd.nix ./tasks/lvm.nix ./tasks/network-interfaces.nix ./tasks/network-interfaces-systemd.nix diff --git a/nixos/modules/profiles/graphical.nix b/nixos/modules/profiles/graphical.nix index 649f5564ac6..d80456cede5 100644 --- a/nixos/modules/profiles/graphical.nix +++ b/nixos/modules/profiles/graphical.nix @@ -9,14 +9,12 @@ displayManager.sddm.enable = true; desktopManager.plasma5 = { enable = true; - enableQt4Support = false; }; libinput.enable = true; # for touchpad support on many laptops }; # Enable sound in virtualbox appliances. hardware.pulseaudio.enable = true; - hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root. environment.systemPackages = [ pkgs.glxinfo pkgs.firefox ]; } diff --git a/nixos/modules/programs/adb.nix b/nixos/modules/programs/adb.nix index 250d8c252a3..83bcfe886aa 100644 --- a/nixos/modules/programs/adb.nix +++ b/nixos/modules/programs/adb.nix @@ -23,7 +23,8 @@ with lib; ###### implementation config = mkIf config.programs.adb.enable { services.udev.packages = [ pkgs.android-udev-rules ]; - environment.systemPackages = [ pkgs.androidenv.androidPkgs_9_0.platform-tools ]; + # Give platform-tools lower priority so mke2fs+friends are taken from other packages first + environment.systemPackages = [ (lowPrio pkgs.androidenv.androidPkgs_9_0.platform-tools) ]; users.groups.adbusers = {}; }; } diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 548babac38c..366c07c0a35 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -40,6 +40,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") + ]; + options = { programs.bash = { diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix index eeebc3558bd..e0e2ffd80cf 100644 --- a/nixos/modules/programs/dconf.nix +++ b/nixos/modules/programs/dconf.nix @@ -32,13 +32,13 @@ in environment.etc = optionals (cfg.profiles != {}) (mapAttrsToList mkDconfProfile cfg.profiles); - services.dbus.packages = [ pkgs.gnome3.dconf ]; + services.dbus.packages = [ pkgs.dconf ]; # For dconf executable - environment.systemPackages = [ pkgs.gnome3.dconf ]; + environment.systemPackages = [ pkgs.dconf ]; # Needed for unwrapped applications - environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ]; + environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ]; }; } diff --git a/nixos/modules/programs/nm-applet.nix b/nixos/modules/programs/nm-applet.nix index e42219e9638..1b806071c43 100644 --- a/nixos/modules/programs/nm-applet.nix +++ b/nixos/modules/programs/nm-applet.nix @@ -10,5 +10,7 @@ partOf = [ "graphical-session.target" ]; serviceConfig.ExecStart = "${pkgs.networkmanagerapplet}/bin/nm-applet"; }; + + services.dbus.packages = [ pkgs.gcr ]; }; } diff --git a/nixos/modules/programs/oblogout.nix b/nixos/modules/programs/oblogout.nix index 720c29b1eae..a039b0623b5 100644 --- a/nixos/modules/programs/oblogout.nix +++ b/nixos/modules/programs/oblogout.nix @@ -1,176 +1,11 @@ -# Global configuration for oblogout. - { config, lib, pkgs, ... }: with lib; -let cfg = config.programs.oblogout; - -in { - ###### interface - - options = { - - programs.oblogout = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to install OBLogout and create <filename>/etc/oblogout.conf</filename>. - See <filename>${pkgs.oblogout}/share/doc/README</filename>. - ''; - }; - - opacity = mkOption { - type = types.int; - default = 70; - description = '' - Opacity percentage of Cairo rendered backgrounds. - ''; - }; - - bgcolor = mkOption { - type = types.str; - default = "black"; - description = '' - Colour name or hex code (#ffffff) of the background color. - ''; - }; - - buttontheme = mkOption { - type = types.str; - default = "simplistic"; - description = '' - Icon theme for the buttons, must be in the themes folder of - the package, or in - <filename>~/.themes/<name>/oblogout/</filename>. - ''; - }; - - buttons = mkOption { - type = types.str; - default = "cancel, logout, restart, shutdown, suspend, hibernate"; - description = '' - List and order of buttons to show. - ''; - }; - - cancel = mkOption { - type = types.str; - default = "Escape"; - description = '' - Cancel logout/shutdown shortcut. - ''; - }; - - shutdown = mkOption { - type = types.str; - default = "S"; - description = '' - Shutdown shortcut. - ''; - }; - - restart = mkOption { - type = types.str; - default = "R"; - description = '' - Restart shortcut. - ''; - }; - - suspend = mkOption { - type = types.str; - default = "U"; - description = '' - Suspend shortcut. - ''; - }; - - logout = mkOption { - type = types.str; - default = "L"; - description = '' - Logout shortcut. - ''; - }; - - lock = mkOption { - type = types.str; - default = "K"; - description = '' - Lock session shortcut. - ''; - }; - - hibernate = mkOption { - type = types.str; - default = "H"; - description = '' - Hibernate shortcut. - ''; - }; - - clogout = mkOption { - type = types.str; - default = "openbox --exit"; - description = '' - Command to logout. - ''; - }; - - clock = mkOption { - type = types.str; - default = ""; - description = '' - Command to lock screen. - ''; - }; - - cswitchuser = mkOption { - type = types.str; - default = ""; - description = '' - Command to switch user. - ''; - }; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.oblogout ]; - - environment.etc."oblogout.conf".text = '' - [settings] - usehal = false - - [looks] - opacity = ${toString cfg.opacity} - bgcolor = ${cfg.bgcolor} - buttontheme = ${cfg.buttontheme} - buttons = ${cfg.buttons} - [shortcuts] - cancel = ${cfg.cancel} - shutdown = ${cfg.shutdown} - restart = ${cfg.restart} - suspend = ${cfg.suspend} - logout = ${cfg.logout} - lock = ${cfg.lock} - hibernate = ${cfg.hibernate} + imports = [ + (mkRemovedOptionModule [ "programs" "oblogout" ] "programs.oblogout has been removed from NixOS. This is because the oblogout repository has been archived upstream.") + ]; - [commands] - shutdown = systemctl poweroff - restart = systemctl reboot - suspend = systemctl suspend - hibernate = systemctl hibernate - logout = ${cfg.clogout} - lock = ${cfg.clock} - switchuser = ${cfg.cswitchuser} - ''; - }; } diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 703975fd06c..80198990ed1 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -251,7 +251,7 @@ in ExecStart = "${cfg.package}/bin/ssh-agent " + optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") + - optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ") + optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ") + "-a %t/ssh-agent"; StandardOutput = "null"; Type = "forking"; diff --git a/nixos/modules/programs/ssmtp.nix b/nixos/modules/programs/ssmtp.nix index 0e060e3f522..f794eac8af0 100644 --- a/nixos/modules/programs/ssmtp.nix +++ b/nixos/modules/programs/ssmtp.nix @@ -8,18 +8,21 @@ with lib; let - - cfg = config.networking.defaultMailServer; + cfg = config.services.ssmtp; in - { + imports = [ + (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ]) + (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ]) + ]; + options = { - networking.defaultMailServer = { + services.ssmtp = { - directDelivery = mkOption { + enable = mkOption { type = types.bool; default = false; description = '' @@ -29,7 +32,7 @@ in <command>sendmail</command> or <command>postfix</command> on your machine, set this option to <literal>true</literal>, and set the option - <option>networking.defaultMailServer.hostName</option> to the + <option>services.ssmtp.hostName</option> to the host name of your preferred mail server. ''; }; @@ -129,9 +132,9 @@ in }; - config = mkIf cfg.directDelivery { + config = mkIf cfg.enable { - networking.defaultMailServer.authPassFile = mkIf (cfg.authPass != "") + services.ssmtp.authPassFile = mkIf (cfg.authPass != "") (mkDefault (toString (pkgs.writeTextFile { name = "ssmtp-authpass"; text = cfg.authPass; diff --git a/nixos/modules/programs/sway.nix b/nixos/modules/programs/sway.nix index f92d09a7ef4..e2a4018e902 100644 --- a/nixos/modules/programs/sway.nix +++ b/nixos/modules/programs/sway.nix @@ -4,26 +4,32 @@ with lib; let cfg = config.programs.sway; - swayPackage = pkgs.sway; - swayWrapped = pkgs.writeShellScriptBin "sway" '' - set -o errexit - - if [ ! "$_SWAY_WRAPPER_ALREADY_EXECUTED" ]; then - export _SWAY_WRAPPER_ALREADY_EXECUTED=1 - ${cfg.extraSessionCommands} - fi + wrapperOptions = types.submodule { + options = + let + mkWrapperFeature = default: description: mkOption { + type = types.bool; + inherit default; + example = !default; + description = "Whether to make use of the ${description}"; + }; + in { + base = mkWrapperFeature true '' + base wrapper to execute extra session commands and prepend a + dbus-run-session to the sway command. + ''; + gtk = mkWrapperFeature false '' + wrapGAppsHook wrapper to execute sway with required environment + variables for GTK applications. + ''; + }; + }; - if [ "$DBUS_SESSION_BUS_ADDRESS" ]; then - export DBUS_SESSION_BUS_ADDRESS - exec ${swayPackage}/bin/sway "$@" - else - exec ${pkgs.dbus}/bin/dbus-run-session ${swayPackage}/bin/sway "$@" - fi - ''; - swayJoined = pkgs.symlinkJoin { - name = "sway-joined"; - paths = [ swayWrapped swayPackage ]; + swayPackage = pkgs.sway.override { + extraSessionCommands = cfg.extraSessionCommands; + withBaseWrapper = cfg.wrapperFeatures.base; + withGtkWrapper = cfg.wrapperFeatures.gtk; }; in { options.programs.sway = { @@ -35,6 +41,15 @@ in { Please have a look at the "extraSessionCommands" example for running programs natively under Wayland''; + wrapperFeatures = mkOption { + type = wrapperOptions; + default = { }; + example = { gtk = true; }; + description = '' + Attribute set of features to enable in the wrapper. + ''; + }; + extraSessionCommands = mkOption { type = types.lines; default = ""; @@ -55,7 +70,7 @@ in { extraPackages = mkOption { type = with types; listOf package; default = with pkgs; [ - swaylock swayidle swaybg + swaylock swayidle xwayland rxvt_unicode dmenu ]; defaultText = literalExample '' @@ -75,8 +90,17 @@ in { }; config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.extraSessionCommands != "" -> cfg.wrapperFeatures.base; + message = '' + The extraSessionCommands for Sway will not be run if + wrapperFeatures.base is disabled. + ''; + } + ]; environment = { - systemPackages = [ swayJoined ] ++ cfg.extraPackages; + systemPackages = [ swayPackage ] ++ cfg.extraPackages; etc = { "sway/config".source = mkOptionDefault "${swayPackage}/etc/sway/config"; #"sway/security.d".source = mkOptionDefault "${swayPackage}/etc/sway/security.d/"; @@ -87,6 +111,8 @@ in { hardware.opengl.enable = mkDefault true; fonts.enableDefaultFonts = mkDefault true; programs.dconf.enable = mkDefault true; + # To make a Sway session available if a display manager like SDDM is enabled: + services.xserver.displayManager.sessionPackages = [ swayPackage ]; }; meta.maintainers = with lib.maintainers; [ gnidorah primeos colemickens ]; diff --git a/nixos/modules/programs/zsh/oh-my-zsh.nix b/nixos/modules/programs/zsh/oh-my-zsh.nix index f4df4e983e4..932a780a356 100644 --- a/nixos/modules/programs/zsh/oh-my-zsh.nix +++ b/nixos/modules/programs/zsh/oh-my-zsh.nix @@ -29,6 +29,13 @@ let in { + imports = [ + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) + ]; + options = { programs.zsh.ohMyZsh = { enable = mkOption { diff --git a/nixos/modules/programs/zsh/zsh-autosuggestions.nix b/nixos/modules/programs/zsh/zsh-autosuggestions.nix index ded17f38a61..037888fdc5a 100644 --- a/nixos/modules/programs/zsh/zsh-autosuggestions.nix +++ b/nixos/modules/programs/zsh/zsh-autosuggestions.nix @@ -6,6 +6,10 @@ let cfg = config.programs.zsh.autosuggestions; in { + imports = [ + (mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) + ]; + options.programs.zsh.autosuggestions = { enable = mkEnableOption "zsh-autosuggestions"; diff --git a/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix b/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix index 7184e5d9b9a..927a904369d 100644 --- a/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix +++ b/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix @@ -6,6 +6,13 @@ let cfg = config.programs.zsh.syntaxHighlighting; in { + imports = [ + (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) + (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) + ]; + options = { programs.zsh.syntaxHighlighting = { enable = mkEnableOption "zsh-syntax-highlighting"; @@ -81,7 +88,7 @@ in ]; programs.zsh.interactiveShellInit = with pkgs; - lib.concatStringsSep "\n" ([ + lib.mkAfter (lib.concatStringsSep "\n" ([ "source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" ] ++ optional (length(cfg.highlighters) > 0) "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})" @@ -95,6 +102,6 @@ in styles: design: "ZSH_HIGHLIGHT_STYLES[${styles}]='${design}'" ) cfg.styles) - ); + )); }; } diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 886e2e83ba6..7109ab5a109 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -4,292 +4,30 @@ with lib; { imports = [ - (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) - (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ] - (config: - let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; - in if enabled then [ pkgs.gutenprint ] else [ ])) - (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ] - (config: - let value = getAttrFromPath [ "services" "ddclient" "domain" ] config; - in if value != "" then [ value ] else [])) - (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") - (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) - (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "port" ] ["services" "kubernetes" "apiserver" "insecurePort"]) - (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") - (mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) - (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) - (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "allowPrivileged" ] "") - (mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"]) - (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") - (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) - (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ]) - (mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ]) - (mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ]) - (mkRenamedOptionModule [ "services" "neo4j" "enableHttps" ] [ "services" "neo4j" "https" "enable" ]) - (mkRenamedOptionModule [ "services" "neo4j" "certDir" ] [ "services" "neo4j" "directories" "certificates" ]) - (mkRenamedOptionModule [ "services" "neo4j" "dataDir" ] [ "services" "neo4j" "directories" "home" ]) - (mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.") - (mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.") - (mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.") - (mkRemovedOptionModule [ "services" "misc" "nzbget" "configFile" ] "The configuration of nzbget is now managed by users through the web interface.") - (mkRemovedOptionModule [ "services" "misc" "nzbget" "dataDir" ] "The data directory for nzbget is now /var/lib/nzbget.") - (mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.") - (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.") - (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.") - (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerURL" ] '' - Due to incompatibility, the alertmanagerURL option has been removed, - please use 'services.prometheus2.alertmanagers' instead. - '') - (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) - (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) - (mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ]) - (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ]) + /* + This file defines some renaming/removing options for backwards compatibility - (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ]) - (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "") - - (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ]) - - (mkRemovedOptionModule [ "services" "pykms" "verbose" ] "Use services.pykms.logLevel instead") - - (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") - (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") - - (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - - # PAM - (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) - - # rmilter/rspamd - (mkRemovedOptionModule [ "services" "rmilter" ] "Use services.rspamd.* instead to set up milter service") - - # Xsession script - (mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ]) - (mkRenamedOptionModule [ "services" "xserver" "displayManager" "logToJournal" ] [ "services" "xserver" "displayManager" "job" "logToJournal" ]) - - # Old Grub-related options. - (mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ]) - (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ]) - - # OpenSSH - (mkAliasOptionModule [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ]) - (mkAliasOptionModule [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]) - - # libvirtd - (mkRemovedOptionModule [ "virtualisation" "libvirtd" "enableKVM" ] - "Set the option `virtualisation.libvirtd.qemuPackage' instead.") - - # ibus - (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ]) - - # sandboxing - (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) - (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) - - (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) + It should ONLY be used when the relevant module can't define these imports + itself, such as when the module was removed completely. + See https://github.com/NixOS/nixpkgs/pull/61570 for explanation + */ + # This alias module can't be where _module.check is defined because it would + # be added to submodules as well there (mkAliasOptionModule [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ]) - # opendkim - (mkRenamedOptionModule [ "services" "opendkim" "keyFile" ] [ "services" "opendkim" "keyPath" ]) - - # Enlightenment - (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "e19" "enable" ] [ "services" "xserver" "desktopManager" "enlightenment" "enable" ]) - - # Iodine - (mkRenamedOptionModule [ "services" "iodined" "enable" ] [ "services" "iodine" "server" "enable" ]) - (mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ]) - (mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ]) - (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) - (mkRemovedOptionModule [ "services" "iodined" "client" ] "") - - # Unity3D - (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) - - # murmur - (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ]) - (mkRemovedOptionModule [ "services" "murmur" "pidfile" ] "Hardcoded to /run/murmur/murmurd.pid now") - - # parsoid - (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] "Use services.parsoid.wikis instead") - - # plexpy / tautulli - (mkRenamedOptionModule [ "services" "plexpy" ] [ "services" "tautulli" ]) - - # piwik was renamed to matomo - (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) - (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) - (mkRemovedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") - (mkRemovedOptionModule [ "services" "matomo" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") - (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) - - # tarsnap - (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") - - # alsa - (mkRenamedOptionModule [ "sound" "enableMediaKeys" ] [ "sound" "mediaKeys" "enable" ]) - - # postgrey - (mkMergedOptionModule [ [ "services" "postgrey" "inetAddr" ] [ "services" "postgrey" "inetPort" ] ] [ "services" "postgrey" "socket" ] (config: let - value = p: getAttrFromPath p config; - inetAddr = [ "services" "postgrey" "inetAddr" ]; - inetPort = [ "services" "postgrey" "inetPort" ]; - in - if value inetAddr == null - then { path = "/run/postgrey.sock"; } - else { addr = value inetAddr; port = value inetPort; } - )) - - # dhcpd - (mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ]) - - # locate - (mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ]) - (mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" ) - - # nfs - (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ]) - (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ]) - - # KDE Plasma 5 - (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "kde5" ] [ "services" "xserver" "desktopManager" "plasma5" ]) - - # Fontconfig - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "fonts" "fontconfig" "allowBitmaps" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowType1" ] [ "fonts" "fontconfig" "allowType1" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) - - # postgresqlBackup - (mkRemovedOptionModule [ "services" "postgresqlBackup" "period" ] '' - A systemd timer is now used instead of cron. - The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>. - '') - - # phpfpm - (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.") - - # zabbixServer - (mkRenamedOptionModule [ "services" "zabbixServer" "dbServer" ] [ "services" "zabbixServer" "database" "host" ]) - - # Profile splitting - (mkRenamedOptionModule [ "virtualisation" "growPartition" ] [ "boot" "growPartition" ]) - - # misc/version.nix - (mkRenamedOptionModule [ "system" "nixosVersion" ] [ "system" "nixos" "version" ]) - (mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ]) - (mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ]) - (mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ]) - - # Users - (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) - (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) - - # Options that are obsolete and have no replacement. - (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") - (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") - (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "") - (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ] "") - (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ] "") - (mkRemovedOptionModule [ "ec2" "metadata" ] "") - (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "") - (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "") - (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "") - (mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.") - (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.") - (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ] - "See the 16.09 release notes for more information.") - (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "") - (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") + # Completely removed modules (mkRemovedOptionModule [ "services" "firefox" "syncserver" "user" ] "") (mkRemovedOptionModule [ "services" "firefox" "syncserver" "group" ] "") - (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "") - (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ] - "Set the option `services.xserver.displayManager.sddm.package' instead.") - (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "xfce" "screenLock" ] "") - (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "") - (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "") - (mkRemovedOptionModule [ "virtualisation" "xen" "qemu" ] "You don't need this option anymore, it will work without it.") - (mkRemovedOptionModule [ "services" "logstash" "enableWeb" ] "The web interface was removed from logstash") - (mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.") - (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd") - (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") - (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") - (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") - - # ZSH - (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) - - (mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) - - # Xen - (mkRenamedOptionModule [ "virtualisation" "xen" "qemu-package" ] [ "virtualisation" "xen" "package-qemu" ]) - - (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) - (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) - (mkRenamedOptionModule [ "services" "nixosManual" "enable" ] [ "documentation" "nixos" "enable" ]) - - # ckb - (mkRenamedOptionModule [ "hardware" "ckb" "enable" ] [ "hardware" "ckb-next" "enable" ]) - (mkRenamedOptionModule [ "hardware" "ckb" "package" ] [ "hardware" "ckb-next" "package" ]) - - # binfmt - (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ]) - - # ACME - (mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") - (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") - (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") - - # KSM - (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) - - # resolvconf - (mkRenamedOptionModule [ "networking" "dnsSingleRequest" ] [ "networking" "resolvconf" "dnsSingleRequest" ]) - (mkRenamedOptionModule [ "networking" "dnsExtensionMechanism" ] [ "networking" "resolvconf" "dnsExtensionMechanism" ]) - (mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ]) - (mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ]) - - # BLCR + (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.") (mkRemovedOptionModule [ "environment.blcr.enable" ] "The BLCR module has been removed") - - # Redis - (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") - (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") - (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") - (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") - (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") - - ] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" - "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" - "snmpExporter" "unifiExporter" "varnishExporter" ] - (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' - The prometheus exporters are now configured using `services.prometheus.exporters'. - See the 18.03 release notes for more information. - '' )); + (mkRemovedOptionModule [ "services.beegfsEnable" ] "The BeeGFS module has been removed") + (mkRemovedOptionModule [ "services.beegfs" ] "The BeeGFS module has been removed") + (mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed") + (mkRemovedOptionModule [ "services.fourStore" ] "The fourStore module has been removed") + (mkRemovedOptionModule [ "services.fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") + + # Do NOT add any option renames here, see top of the file + ]; } diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index d14613f22b0..890c421b0ea 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -127,6 +127,9 @@ in "https://acme-staging-v02.api.letsencrypt.org/directory". '' ) + (mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") + (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") + (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") ]; options = { security.acme = { @@ -224,6 +227,12 @@ in environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; serviceConfig = { Type = "oneshot"; + # With RemainAfterExit the service is considered active even + # after the main process having exited, which means when it + # gets changed, the activation phase restarts it, meaning + # the permissions of the StateDirectory get adjusted + # according to the specified group + RemainAfterExit = true; SuccessExitStatus = [ "0" "1" ]; User = data.user; Group = data.group; @@ -232,9 +241,9 @@ in StateDirectoryMode = rights; WorkingDirectory = "/var/lib/${lpath}"; ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}"; - ExecStopPost = + ExecStartPost = let - script = pkgs.writeScript "acme-post-stop" '' + script = pkgs.writeScript "acme-post-start" '' #!${pkgs.runtimeShell} -e ${data.postRun} ''; diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index 498c2f25d1c..3c93f5440ab 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -4,6 +4,9 @@ let in with lib; { + imports = [ + (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + ]; options.security.apparmor.confineSUIDApplications = mkOption { default = true; diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix index 2255477f26e..b83dbc4202a 100644 --- a/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixos/modules/security/chromium-suid-sandbox.nix @@ -7,6 +7,10 @@ let sandbox = pkgs.chromium.sandbox; in { + imports = [ + (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) + ]; + options.security.chromiumSuidSandbox.enable = mkOption { type = types.bool; default = false; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 11227354ad3..0adc27c47f0 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -484,6 +484,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) + ]; + ###### interface options = { @@ -707,7 +711,7 @@ in Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further - details on how to configure offline Challenge-Response validation. + details on how to configure offline Challenge-Response validation. More information can be found <link xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index f2b2df4004c..a6724bd7583 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -42,15 +42,14 @@ in security.polkit.adminIdentities = mkOption { type = types.listOf types.str; - default = [ "unix-user:0" "unix-group:wheel" ]; + default = [ "unix-group:wheel" ]; example = [ "unix-user:alice" "unix-group:admin" ]; description = '' Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an <literal>auth_admin</literal> - value). By default, this is the <literal>root</literal> - user and all users in the <literal>wheel</literal> group. + value). By default, this is all users in the <literal>wheel</literal> group. ''; }; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 47738e7962e..a0fadb018ec 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -94,6 +94,10 @@ let ) programs; in { + imports = [ + (lib.mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") + (lib.mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") + ]; ###### interface diff --git a/nixos/modules/services/admin/oxidized.nix b/nixos/modules/services/admin/oxidized.nix index da81be3f23e..885eaed1de6 100644 --- a/nixos/modules/services/admin/oxidized.nix +++ b/nixos/modules/services/admin/oxidized.nix @@ -111,6 +111,7 @@ in Restart = "always"; WorkingDirectory = cfg.dataDir; KillSignal = "SIGKILL"; + PIDFile = "${cfg.dataDir}.config/oxidized/pid"; }; }; }; diff --git a/nixos/modules/services/audio/alsa.nix b/nixos/modules/services/audio/alsa.nix index f632644af09..990398e6546 100644 --- a/nixos/modules/services/audio/alsa.nix +++ b/nixos/modules/services/audio/alsa.nix @@ -12,6 +12,9 @@ let in { + imports = [ + (mkRenamedOptionModule [ "sound" "enableMediaKeys" ] [ "sound" "mediaKeys" "enable" ]) + ]; ###### interface diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index 56dc858b640..7932d094197 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -18,7 +18,6 @@ let ''} state_file "${cfg.dataDir}/state" sticker_file "${cfg.dataDir}/sticker.sql" - log_file "syslog" user "${cfg.user}" group "${cfg.group}" diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 4eda3c5708d..6aed485638c 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -66,7 +66,8 @@ in { if cfg.user == "roon-server" then { isSystemUser = true; description = "Roon Server user"; - groups = [ cfg.group "audio" ]; + group = cfg.group; + extraGroups = [ "audio" ]; } else {}; }; diff --git a/nixos/modules/services/backup/bacula.nix b/nixos/modules/services/backup/bacula.nix index 41bda7893a7..cef304734ae 100644 --- a/nixos/modules/services/backup/bacula.nix +++ b/nixos/modules/services/backup/bacula.nix @@ -44,7 +44,17 @@ let Pid Directory = "/run"; ${sd_cfg.extraStorageConfig} } - + + ${concatStringsSep "\n" (mapAttrsToList (name: value: '' + Autochanger { + Name = "${name}"; + Device = ${concatStringsSep ", " (map (a: "\"${a}\"") value.devices)}; + Changer Device = "${value.changerDevice}"; + Changer Command = "${value.changerCommand}"; + ${value.extraAutochangerConfig} + } + '') sd_cfg.autochanger)} + ${concatStringsSep "\n" (mapAttrsToList (name: value: '' Device { Name = "${name}"; @@ -103,7 +113,19 @@ let password = mkOption { # TODO: required? description = '' - Specifies the password that must be supplied for a Director to b + Specifies the password that must be supplied for the default Bacula + Console to be authorized. The same password must appear in the + Director resource of the Console configuration file. For added + security, the password is never passed across the network but instead + a challenge response hash code created with the password. This + directive is required. If you have either /dev/random or bc on your + machine, Bacula will generate a random password during the + configuration process, otherwise it will be left blank and you must + manually supply it. + + The password is plain text. It is not generated through any special + process but as noted above, it is better to use random text for + security reasons. ''; }; @@ -111,26 +133,133 @@ let default = "no"; example = "yes"; description = '' - If Monitor is set to no (default), this director will have full + If Monitor is set to <literal>no</literal>, this director will have + full access to this Storage daemon. If Monitor is set to + <literal>yes</literal>, this director will only be able to fetch the + current status of this Storage daemon. + + Please note that if this director is being used by a Monitor, we + highly recommend to set this directive to yes to avoid serious + security problems. + ''; + }; + }; + }; + + autochangerOptions = {...}: + { + options = { + changerDevice = mkOption { + description = '' + The specified name-string must be the generic SCSI device name of the + autochanger that corresponds to the normal read/write Archive Device + specified in the Device resource. This generic SCSI device name + should be specified if you have an autochanger or if you have a + standard tape drive and want to use the Alert Command (see below). + For example, on Linux systems, for an Archive Device name of + <literal>/dev/nst0</literal>, you would specify + <literal>/dev/sg0</literal> for the Changer Device name. Depending + on your exact configuration, and the number of autochangers or the + type of autochanger, what you specify here can vary. This directive + is optional. See the Using AutochangersAutochangersChapter chapter of + this manual for more details of using this and the following + autochanger directives. + ''; + }; + + changerCommand = mkOption { + description = '' + The name-string specifies an external program to be called that will + automatically change volumes as required by Bacula. Normally, this + directive will be specified only in the AutoChanger resource, which + is then used for all devices. However, you may also specify the + different Changer Command in each Device resource. Most frequently, + you will specify the Bacula supplied mtx-changer script as follows: + + <literal>"/path/mtx-changer %c %o %S %a %d"</literal> + + and you will install the mtx on your system (found in the depkgs + release). An example of this command is in the default bacula-sd.conf + file. For more details on the substitution characters that may be + specified to configure your autochanger please see the + AutochangersAutochangersChapter chapter of this manual. For FreeBSD + users, you might want to see one of the several chio scripts in + examples/autochangers. + ''; + default = "/etc/bacula/mtx-changer %c %o %S %a %d"; + }; + + devices = mkOption { + description = '' + ''; + }; + + extraAutochangerConfig = mkOption { + default = ""; + description = '' + Extra configuration to be passed in Autochanger directive. + ''; + example = '' + ''; }; }; }; + deviceOptions = {...}: { options = { archiveDevice = mkOption { # TODO: required? description = '' - The specified name-string gives the system file name of the storage device managed by this storage daemon. This will usually be the device file name of a removable storage device (tape drive), for example " /dev/nst0" or "/dev/rmt/0mbn". For a DVD-writer, it will be for example /dev/hdc. It may also be a directory name if you are archiving to disk storage. + The specified name-string gives the system file name of the storage + device managed by this storage daemon. This will usually be the + device file name of a removable storage device (tape drive), for + example <literal>/dev/nst0</literal> or + <literal>/dev/rmt/0mbn</literal>. For a DVD-writer, it will be for + example <literal>/dev/hdc</literal>. It may also be a directory name + if you are archiving to disk storage. In this case, you must supply + the full absolute path to the directory. When specifying a tape + device, it is preferable that the "non-rewind" variant of the device + file name be given. ''; }; mediaType = mkOption { # TODO: required? description = '' - The specified name-string names the type of media supported by this device, for example, "DLT7000". Media type names are arbitrary in that you set them to anything you want, but they must be known to the volume database to keep track of which storage daemons can read which volumes. In general, each different storage type should have a unique Media Type associated with it. The same name-string must appear in the appropriate Storage resource definition in the Director's configuration file. + The specified name-string names the type of media supported by this + device, for example, <literal>DLT7000</literal>. Media type names are + arbitrary in that you set them to anything you want, but they must be + known to the volume database to keep track of which storage daemons + can read which volumes. In general, each different storage type + should have a unique Media Type associated with it. The same + name-string must appear in the appropriate Storage resource + definition in the Director's configuration file. + + Even though the names you assign are arbitrary (i.e. you choose the + name you want), you should take care in specifying them because the + Media Type is used to determine which storage device Bacula will + select during restore. Thus you should probably use the same Media + Type specification for all drives where the Media can be freely + interchanged. This is not generally an issue if you have a single + Storage daemon, but it is with multiple Storage daemons, especially + if they have incompatible media. + + For example, if you specify a Media Type of <literal>DDS-4</literal> + then during the restore, Bacula will be able to choose any Storage + Daemon that handles <literal>DDS-4</literal>. If you have an + autochanger, you might want to name the Media Type in a way that is + unique to the autochanger, unless you wish to possibly use the + Volumes in other drives. You should also ensure to have unique Media + Type names if the Media is not compatible between drives. This + specification is required for all devices. + + In addition, if you are using disk storage, each Device resource will + generally have a different mount point or directory. In order for + Bacula to select the correct Device resource, each one must have a + unique Media Type. ''; }; @@ -166,8 +295,8 @@ in { default = "${config.networking.hostName}-fd"; description = '' The client name that must be used by the Director when connecting. - Generally, it is a good idea to use a name related to the machine - so that error messages can be easily identified if you have multiple + Generally, it is a good idea to use a name related to the machine so + that error messages can be easily identified if you have multiple Clients. This directive is required. ''; }; @@ -232,7 +361,8 @@ in { default = 9103; type = types.int; description = '' - Specifies port number on which the Storage daemon listens for Director connections. The default is 9103. + Specifies port number on which the Storage daemon listens for + Director connections. ''; }; @@ -251,7 +381,15 @@ in { ''; type = with types; attrsOf (submodule deviceOptions); }; - + + autochanger = mkOption { + default = {}; + description = '' + This option defines Autochanger resources in Bacula Storage Daemon. + ''; + type = with types; attrsOf (submodule autochangerOptions); + }; + extraStorageConfig = mkOption { default = ""; description = '' @@ -287,7 +425,8 @@ in { name = mkOption { default = "${config.networking.hostName}-dir"; description = '' - The director name used by the system administrator. This directive is required. + The director name used by the system administrator. This directive is + required. ''; }; @@ -295,7 +434,12 @@ in { default = 9101; type = types.int; description = '' - Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections. This same port number must be specified in the Director resource of the Console configuration file. The default is 9101, so normally this directive need not be specified. This directive should not be used if you specify DirAddresses (N.B plural) directive. + Specify the port (a positive integer) on which the Director daemon + will listen for Bacula Console connections. This same port number + must be specified in the Director resource of the Console + configuration file. The default is 9101, so normally this directive + need not be specified. This directive should not be used if you + specify DirAddresses (N.B plural) directive. ''; }; diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index 10d42325a6b..a2eb80c55a8 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -68,7 +68,7 @@ let { BORG_PASSPHRASE = passphrase; } else { }; - mkBackupService = name: cfg: + mkBackupService = name: cfg: let userHome = config.users.users.${cfg.user}.home; in nameValuePair "borgbackup-job-${name}" { @@ -98,6 +98,23 @@ let inherit (cfg) startAt; }; + # utility function around makeWrapper + mkWrapperDrv = { + original, name, set ? {} + }: + pkgs.runCommandNoCC "${name}-wrapper" { + buildInputs = [ pkgs.makeWrapper ]; + } (with lib; '' + makeWrapper "${original}" "$out/bin/${name}" \ + ${concatStringsSep " \\\n " (mapAttrsToList (name: value: ''--set ${name} "${value}"'') set)} + ''); + + mkBorgWrapper = name: cfg: mkWrapperDrv { + original = "${pkgs.borgbackup}/bin/borg"; + name = "borg-job-${name}"; + set = { BORG_REPO = cfg.repo; } // (mkPassEnv cfg) // cfg.environment; + }; + # Paths listed in ReadWritePaths must exist before service is started mkActivationScript = name: cfg: let @@ -176,7 +193,11 @@ in { ###### interface options.services.borgbackup.jobs = mkOption { - description = "Deduplicating backups using BorgBackup."; + description = '' + Deduplicating backups using BorgBackup. + Adding a job will cause a borg-job-NAME wrapper to be added + to your system path, so that you can perform maintenance easily. + ''; default = { }; example = literalExample '' { @@ -623,6 +644,6 @@ in { users = mkMerge (mapAttrsToList mkUsersConfig repos); - environment.systemPackages = with pkgs; [ borgbackup ]; + environment.systemPackages = with pkgs; [ borgbackup ] ++ (mapAttrsToList mkBorgWrapper jobs); }); } diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index 13a36ae32ac..580c7ce68f1 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -35,6 +35,13 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "postgresqlBackup" "period" ] '' + A systemd timer is now used instead of cron. + The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>. + '') + ]; + options = { services.postgresqlBackup = { enable = mkOption { @@ -82,7 +89,7 @@ in { pgdumpOptions = mkOption { type = types.separatedString " "; - default = "-Cbo"; + default = "-C"; description = '' Command line options for pg_dump. This options is not used if <literal>config.services.postgresqlBackup.backupAll</literal> is enabled. diff --git a/nixos/modules/services/backup/tarsnap.nix b/nixos/modules/services/backup/tarsnap.nix index 4fc7c24813a..6d99a1efb61 100644 --- a/nixos/modules/services/backup/tarsnap.nix +++ b/nixos/modules/services/backup/tarsnap.nix @@ -23,6 +23,10 @@ let ''; in { + imports = [ + (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") + ]; + options = { services.tarsnap = { enable = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix b/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix index 70f96d75a46..2ed7742eda0 100644 --- a/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix +++ b/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix @@ -5,6 +5,10 @@ with lib; let cfg = config.services.kubernetes.addons.dashboard; in { + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ]) + ]; + options.services.kubernetes.addons.dashboard = { enable = mkEnableOption "kubernetes dashboard addon"; diff --git a/nixos/modules/services/cluster/kubernetes/addons/dns.nix b/nixos/modules/services/cluster/kubernetes/addons/dns.nix index 47e588de3c9..f12e866930d 100644 --- a/nixos/modules/services/cluster/kubernetes/addons/dns.nix +++ b/nixos/modules/services/cluster/kubernetes/addons/dns.nix @@ -3,7 +3,7 @@ with lib; let - version = "1.5.0"; + version = "1.6.4"; cfg = config.services.kubernetes.addons.dns; ports = { dns = 10053; @@ -55,9 +55,9 @@ in { type = types.attrs; default = { imageName = "coredns/coredns"; - imageDigest = "sha256:e83beb5e43f8513fa735e77ffc5859640baea30a882a11cc75c4c3244a737d3c"; + imageDigest = "sha256:493ee88e1a92abebac67cbd4b5658b4730e0f33512461442d8d9214ea6734a9b"; finalImageTag = version; - sha256 = "15sbmhrxjxidj0j0cccn1qxpg6al175w43m6ngspl0mc132zqc9q"; + sha256 = "0fm9zdjavpf5hni8g7fkdd3csjbhd7n7py7llxjc66sbii087028"; }; }; }; @@ -68,7 +68,7 @@ in { services.kubernetes.addonManager.bootstrapAddons = { coredns-cr = { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRole"; metadata = { labels = { @@ -94,7 +94,7 @@ in { }; coredns-crb = { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRoleBinding"; metadata = { annotations = { @@ -170,7 +170,7 @@ in { }; coredns-deploy = { - apiVersion = "extensions/v1beta1"; + apiVersion = "apps/v1"; kind = "Deployment"; metadata = { labels = { diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index 33796bf2e08..95bdb4c0d14 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -13,6 +13,18 @@ let )) + ".1"); in { + + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "port" ] ["services" "kubernetes" "apiserver" "insecurePort"]) + (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) + ]; + ###### interface options.services.kubernetes.apiserver = with lib.types; { diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index 0b73d090f24..a99ef6640e9 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -7,6 +7,11 @@ let cfg = top.controllerManager; in { + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) + (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"]) + ]; + ###### interface options.services.kubernetes.controllerManager = with lib.types; { diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 3790ac9b691..3605d036509 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -74,6 +74,10 @@ let }; in { + imports = [ + (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") + ]; + ###### interface options.services.kubernetes = { diff --git a/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixos/modules/services/cluster/kubernetes/flannel.nix index d799e638fc9..548ffed1ddb 100644 --- a/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -40,6 +40,7 @@ in cni.config = mkDefault [{ name = "mynet"; type = "flannel"; + cniVersion = "0.3.1"; delegate = { isDefaultGateway = true; bridge = "docker0"; diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 250da4c807e..c3d67552cc8 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -52,6 +52,12 @@ let taints = concatMapStringsSep "," (v: "${v.key}=${v.value}:${v.effect}") (mapAttrsToList (n: v: v) cfg.taints); in { + imports = [ + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "") + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "") + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "allowPrivileged" ] "") + ]; + ###### interface options.services.kubernetes.kubelet = with lib.types; { @@ -92,7 +98,7 @@ in default = []; example = literalExample '' [{ - "cniVersion": "0.2.0", + "cniVersion": "0.3.1", "name": "mynet", "type": "bridge", "bridge": "cni0", @@ -106,7 +112,7 @@ in ] } } { - "cniVersion": "0.2.0", + "cniVersion": "0.3.1", "type": "loopback" }] ''; diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index bd4bf04ea83..86d1dc2439b 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -7,6 +7,9 @@ let cfg = top.proxy; in { + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"]) + ]; ###### interface options.services.kubernetes.proxy = with lib.types; { @@ -31,6 +34,12 @@ in type = listOf str; }; + hostname = mkOption { + description = "Kubernetes proxy hostname override."; + default = config.networking.hostName; + type = str; + }; + kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes proxy"; verbosity = mkOption { @@ -59,6 +68,7 @@ in "--cluster-cidr=${top.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ + --hostname-override=${cfg.hostname} \ --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} @@ -69,6 +79,8 @@ in }; }; + services.kubernetes.proxy.hostname = with config.networking; mkDefault hostName; + services.kubernetes.pki.certs = { kubeProxyClient = top.lib.mkCert { name = "kube-proxy-client"; diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index d1a1383e45b..c70d999ca96 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -18,7 +18,7 @@ let ${optionalString (cfg.controlAddr != null) ''controlAddr=${cfg.controlAddr}''} ${toString (map (x: "NodeName=${x}\n") cfg.nodeName)} ${toString (map (x: "PartitionName=${x}\n") cfg.partitionName)} - PlugStackConfig=${plugStackConfig} + PlugStackConfig=${plugStackConfig}/plugstack.conf ProctrackType=${cfg.procTrackType} ${cfg.extraConfig} ''; @@ -39,6 +39,8 @@ let DbdHost=${cfg.dbdserver.dbdHost} SlurmUser=${cfg.user} StorageType=accounting_storage/mysql + StorageUser=${cfg.dbdserver.storageUser} + ${optionalString (cfg.dbdserver.storagePass != null) "StoragePass=${cfg.dbdserver.storagePass}"} ${cfg.dbdserver.extraConfig} ''; @@ -48,7 +50,6 @@ let name = "etc-slurm"; paths = [ configFile cgroupConfig plugStackConfig ] ++ cfg.extraConfigPaths; }; - in { @@ -86,6 +87,37 @@ in ''; }; + storageUser = mkOption { + type = types.str; + default = cfg.user; + description = '' + Database user name. + ''; + }; + + storagePass = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Database password. Note that this password will be publicable + readable in the nix store. Use <option>configFile</option> + to store the and config file and password outside the nix store. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to <literal>slurmdbd.conf</literal>. The password for the database connection + is stored in the config file. Use this option to specfify a path + outside the nix store. If this option is unset a configuration file + will be generated. See also: + <citerefentry><refentrytitle>slurmdbd.conf</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -112,7 +144,7 @@ in package = mkOption { type = types.package; - default = pkgs.slurm; + default = pkgs.slurm.override { enableX11 = ! cfg.enableSrunX11; }; defaultText = "pkgs.slurm"; example = literalExample "pkgs.slurm-full"; description = '' @@ -178,9 +210,14 @@ in If enabled srun will accept the option "--x11" to allow for X11 forwarding from within an interactive session or a batch job. This activates the slurm-spank-x11 module. Note that this option also enables - 'services.openssh.forwardX11' on the client. + <option>services.openssh.forwardX11</option> on the client. This option requires slurm to be compiled without native X11 support. + The default behavior is to re-compile the slurm package with native X11 + support disabled if this option is set to true. + + To use the native X11 support add <literal>PrologFlags=X11</literal> in <option>extraConfig</option>. + Note that this method will only work RSA SSH host keys. ''; }; @@ -356,7 +393,11 @@ in requires = [ "munged.service" "mysql.service" ]; # slurm strips the last component off the path - environment.SLURM_CONF = "${slurmdbdConf}/slurm.conf"; + environment.SLURM_CONF = + if (cfg.dbdserver.configFile == null) then + "${slurmdbdConf}/slurm.conf" + else + cfg.dbdserver.configFile; serviceConfig = { Type = "forking"; diff --git a/nixos/modules/services/databases/4store-endpoint.nix b/nixos/modules/services/databases/4store-endpoint.nix deleted file mode 100644 index 59ed0e5f0af..00000000000 --- a/nixos/modules/services/databases/4store-endpoint.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.services.fourStoreEndpoint; - endpointUser = "fourstorehttp"; - run = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${endpointUser} -c"; -in -with lib; -{ - - ###### interface - - options = { - - services.fourStoreEndpoint = { - - enable = mkOption { - default = false; - description = "Whether to enable 4Store SPARQL endpoint."; - }; - - database = mkOption { - default = config.services.fourStore.database; - description = "RDF database name to expose via the endpoint. Defaults to local 4Store database name."; - }; - - listenAddress = mkOption { - default = null; - description = "IP address to listen on."; - }; - - port = mkOption { - default = 8080; - description = "port to listen on."; - }; - - options = mkOption { - default = ""; - description = "Extra CLI options to pass to 4Store's 4s-httpd process."; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - assertions = singleton - { assertion = cfg.enable -> cfg.database != ""; - message = "Must specify 4Store database name"; - }; - - users.users = singleton - { name = endpointUser; - uid = config.ids.uids.fourstorehttp; - description = "4Store SPARQL endpoint user"; - }; - - services.avahi.enable = true; - - systemd.services."4store-endpoint" = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - script = '' - ${run} '${pkgs.rdf4store}/bin/4s-httpd -D ${cfg.options} ${if cfg.listenAddress!=null then "-H ${cfg.listenAddress}" else "" } -p ${toString cfg.port} ${cfg.database}' - ''; - }; - - }; - -} diff --git a/nixos/modules/services/databases/4store.nix b/nixos/modules/services/databases/4store.nix deleted file mode 100644 index be4351c1c38..00000000000 --- a/nixos/modules/services/databases/4store.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.services.fourStore; - stateDir = "/var/lib/4store"; - fourStoreUser = "fourstore"; - run = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${fourStoreUser}"; -in -with lib; -{ - - ###### interface - - options = { - - services.fourStore = { - - enable = mkOption { - default = false; - description = "Whether to enable 4Store RDF database server."; - }; - - database = mkOption { - default = ""; - description = "RDF database name. If it doesn't exist, it will be created. Databases are stored in ${stateDir}."; - }; - - options = mkOption { - default = ""; - description = "Extra CLI options to pass to 4Store."; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - assertions = singleton - { assertion = cfg.enable -> cfg.database != ""; - message = "Must specify 4Store database name."; - }; - - users.users = singleton - { name = fourStoreUser; - uid = config.ids.uids.fourstore; - description = "4Store database user"; - home = stateDir; - }; - - services.avahi.enable = true; - - systemd.services."4store" = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = '' - mkdir -p ${stateDir}/ - chown ${fourStoreUser} ${stateDir} - if ! test -e "${stateDir}/${cfg.database}"; then - ${run} -c '${pkgs.rdf4store}/bin/4s-backend-setup ${cfg.database}' - fi - ''; - - script = '' - ${run} -c '${pkgs.rdf4store}/bin/4s-backend -D ${cfg.options} ${cfg.database}' - ''; - }; - }; -} diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 39192d05948..6af32700fc7 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -8,15 +8,11 @@ let mysql = cfg.package; - isMariaDB = - let - pName = _p: (builtins.parseDrvName (_p.name)).name; - in pName mysql == pName pkgs.mariadb; + isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb; + isMysqlAtLeast57 = - let - pName = _p: (builtins.parseDrvName (_p.name)).name; - in (pName mysql == pName pkgs.mysql57) - && ((builtins.compareVersions mysql.version "5.7") >= 0); + (lib.getName mysql == lib.getName pkgs.mysql57) + && (builtins.compareVersions mysql.version "5.7" >= 0); mysqldOptions = "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}"; @@ -28,6 +24,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd") + (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") + ]; ###### interface diff --git a/nixos/modules/services/databases/neo4j.nix b/nixos/modules/services/databases/neo4j.nix index 5533182c311..29a83300ec1 100644 --- a/nixos/modules/services/databases/neo4j.nix +++ b/nixos/modules/services/databases/neo4j.nix @@ -103,6 +103,18 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ]) + (mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ]) + (mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ]) + (mkRenamedOptionModule [ "services" "neo4j" "enableHttps" ] [ "services" "neo4j" "https" "enable" ]) + (mkRenamedOptionModule [ "services" "neo4j" "certDir" ] [ "services" "neo4j" "directories" "certificates" ]) + (mkRenamedOptionModule [ "services" "neo4j" "dataDir" ] [ "services" "neo4j" "directories" "home" ]) + (mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.") + (mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.") + (mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.") + ]; + ###### interface options.services.neo4j = { diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 3bedfe96a18..c8fdd89d0d8 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -339,9 +339,9 @@ in '') cfg.ensureDatabases} '' + '' ${concatMapStrings (user: '' - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc "CREATE USER ${user.name}" + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' - $PSQL -tAc 'GRANT ${permission} ON ${database} TO ${user.name}' + $PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '') user.ensurePermissions)} '') cfg.ensureUsers} ''; diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 5695eeaf74c..70895fa53e4 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -32,6 +32,13 @@ let ''; in { + imports = [ + (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") + (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") + (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") + (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") + (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") + ]; ###### interface @@ -185,10 +192,10 @@ in ###### implementation config = mkIf config.services.redis.enable { - - boot.kernel.sysctl = { - "vm.nr_hugepages" = "0"; - } // mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; }; + boot.kernel.sysctl = (mkMerge [ + { "vm.nr_hugepages" = "0"; } + ( mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; } ) + ]); networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; diff --git a/nixos/modules/services/desktops/neard.nix b/nixos/modules/services/desktops/neard.nix new file mode 100644 index 00000000000..9b0f8d1b3a7 --- /dev/null +++ b/nixos/modules/services/desktops/neard.nix @@ -0,0 +1,23 @@ +# neard service. +{ config, lib, pkgs, ... }: + +with lib; + +{ + ###### interface + options = { + services.neard = { + enable = mkEnableOption "neard, NFC daemon"; + }; + }; + + + ###### implementation + config = mkIf config.services.neard.enable { + environment.systemPackages = [ pkgs.neard ]; + + services.dbus.packages = [ pkgs.neard ]; + + systemd.packages = [ pkgs.neard ]; + }; +} diff --git a/nixos/modules/services/desktops/pantheon/contractor.nix b/nixos/modules/services/desktops/pantheon/contractor.nix index 2638a21df73..c76145191a7 100644 --- a/nixos/modules/services/desktops/pantheon/contractor.nix +++ b/nixos/modules/services/desktops/pantheon/contractor.nix @@ -6,35 +6,12 @@ with lib; { - meta.maintainers = pkgs.pantheon.maintainers; - - ###### interface - - options = { - - services.pantheon.contractor = { - - enable = mkEnableOption "contractor, a desktop-wide extension service used by pantheon"; - - }; - - }; - ###### implementation config = mkIf config.services.pantheon.contractor.enable { - environment.systemPackages = with pkgs.pantheon; [ - contractor - extra-elementary-contracts - ]; - - services.dbus.packages = [ pkgs.pantheon.contractor ]; - - environment.pathsToLink = [ - "/share/contractor" - ]; + }; diff --git a/nixos/modules/services/desktops/pantheon/files.nix b/nixos/modules/services/desktops/pantheon/files.nix index 577aad6c298..8cee9f42b62 100644 --- a/nixos/modules/services/desktops/pantheon/files.nix +++ b/nixos/modules/services/desktops/pantheon/files.nix @@ -6,33 +6,8 @@ with lib; { - meta.maintainers = pkgs.pantheon.maintainers; - - ###### interface - - options = { - - services.pantheon.files = { - - enable = mkEnableOption "pantheon files daemon"; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.pantheon.files.enable { - - environment.systemPackages = [ - pkgs.pantheon.elementary-files - ]; - - services.dbus.packages = [ - pkgs.pantheon.elementary-files - ]; - - }; + imports = [ + (mkRemovedOptionModule [ "services" "pantheon" "files" "enable" ] "Use `environment.systemPackages [ pkgs.pantheon.elementary-files ];`") + ]; } diff --git a/nixos/modules/services/desktops/tumbler.nix b/nixos/modules/services/desktops/tumbler.nix index d18088d4634..a833e99ff8c 100644 --- a/nixos/modules/services/desktops/tumbler.nix +++ b/nixos/modules/services/desktops/tumbler.nix @@ -7,12 +7,17 @@ with lib; let cfg = config.services.tumbler; - tumbler = cfg.package; in { + imports = [ + (mkRemovedOptionModule + [ "services" "tumbler" "package" ] + "") + ]; + ###### interface options = { @@ -21,13 +26,6 @@ in enable = mkEnableOption "Tumbler, A D-Bus thumbnailer service"; - package = mkOption { - type = types.package; - default = pkgs.xfce4-14.tumbler; - description = "Which tumbler package to use"; - example = pkgs.xfce4-12.tumbler; - }; - }; }; @@ -37,11 +35,11 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ + environment.systemPackages = with pkgs.xfce; [ tumbler ]; - services.dbus.packages = [ + services.dbus.packages = with pkgs.xfce; [ tumbler ]; diff --git a/nixos/modules/services/development/lorri.nix b/nixos/modules/services/development/lorri.nix new file mode 100644 index 00000000000..c843aa56d13 --- /dev/null +++ b/nixos/modules/services/development/lorri.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.lorri; + socketPath = "lorri/daemon.socket"; +in { + options = { + services.lorri = { + enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Enables the daemon for `lorri`, a nix-shell replacement for project + development. The socket-activated daemon starts on the first request + issued by the `lorri` command. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.user.sockets.lorri = { + description = "Socket for Lorri Daemon"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = "%t/${socketPath}"; + RuntimeDirectory = "lorri"; + }; + }; + + systemd.user.services.lorri = { + description = "Lorri Daemon"; + requires = [ "lorri.socket" ]; + after = [ "lorri.socket" ]; + path = with pkgs; [ config.nix.package git gnutar gzip ]; + serviceConfig = { + ExecStart = "${pkgs.lorri}/bin/lorri daemon"; + PrivateTmp = true; + ProtectSystem = "strict"; + ProtectHome = "read-only"; + Restart = "on-failure"; + }; + }; + + environment.systemPackages = [ pkgs.lorri ]; + }; +} diff --git a/nixos/modules/services/games/openarena.nix b/nixos/modules/services/games/openarena.nix index b7d1aea6b8d..8c014d78809 100644 --- a/nixos/modules/services/games/openarena.nix +++ b/nixos/modules/services/games/openarena.nix @@ -43,7 +43,7 @@ in serviceConfig = { DynamicUser = true; StateDirectory = "openarena"; - ExecStart = "${pkgs.openarena}/bin/openarena-server +set fs_basepath ${pkgs.openarena}/openarena-0.8.8 +set fs_homepath /var/lib/openarena ${concatStringsSep " " cfg.extraFlags}"; + ExecStart = "${pkgs.openarena}/bin/oa_ded +set fs_basepath ${pkgs.openarena}/openarena-0.8.8 +set fs_homepath /var/lib/openarena ${concatStringsSep " " cfg.extraFlags}"; Restart = "on-failure"; # Hardening diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index c5f9d1f9b72..11d67418a31 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -36,17 +36,25 @@ in { ''; }; + config = mkOption { + type = with types; attrsOf (attrsOf (oneOf [ bool int str ])); + example = { + General = { + ControllerMode = "bredr"; + }; + }; + description = "Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf)."; + }; + extraConfig = mkOption { - type = types.lines; - default = ""; + type = with types; nullOr lines; + default = null; example = '' [General] ControllerMode = bredr ''; description = '' Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf). - - NOTE: We already include [Policy], so any configuration under the Policy group should come first. ''; }; }; @@ -56,16 +64,18 @@ in { ###### implementation config = mkIf cfg.enable { + warnings = optional (cfg.extraConfig != null) "hardware.bluetooth.`extraConfig` is deprecated, please use hardware.bluetooth.`config`."; - environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ]; + hardware.bluetooth.config = { + Policy = { + AutoEnable = mkDefault cfg.powerOnBoot; + }; + }; - environment.etc = singleton { - source = pkgs.writeText "main.conf" '' - [Policy] - AutoEnable=${lib.boolToString cfg.powerOnBoot} + environment.systemPackages = [ bluez-bluetooth ]; - ${cfg.extraConfig} - ''; + environment.etc = singleton { + source = pkgs.writeText "main.conf" (generators.toINI { } cfg.config + optionalString (cfg.extraConfig != null) cfg.extraConfig); target = "bluetooth/main.conf"; }; diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index 6c341bcbf24..51877970a8b 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -74,7 +74,7 @@ in { default = false; description = '' Whether to enable test remote. This is used by - <link xlink:href="https://github.com/hughsie/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>. + <link xlink:href="https://github.com/fwupd/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>. ''; }; @@ -115,10 +115,6 @@ in { services.udev.packages = [ cfg.package ]; systemd.packages = [ cfg.package ]; - - systemd.tmpfiles.rules = [ - "d /var/lib/fwupd 0755 root root -" - ]; }; meta = { diff --git a/nixos/modules/services/hardware/tlp.nix b/nixos/modules/services/hardware/tlp.nix index 4f8af797828..adc1881a525 100644 --- a/nixos/modules/services/hardware/tlp.nix +++ b/nixos/modules/services/hardware/tlp.nix @@ -37,7 +37,7 @@ in enable = mkOption { type = types.bool; default = false; - description = "Whether to enable the TLP daemon."; + description = "Whether to enable the TLP power management daemon."; }; extraConfig = mkOption { diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 83ab93bd7cf..50997bb9bb1 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -221,8 +221,8 @@ in type = types.lines; description = '' Additional <command>hwdb</command> files. They'll be written - into file <filename>10-local.hwdb</filename>. Thus they are - read before all other files. + into file <filename>99-local.hwdb</filename>. Thus they are + read after all other files. ''; }; diff --git a/nixos/modules/services/hardware/upower.nix b/nixos/modules/services/hardware/upower.nix index 5e7ac7a6e65..449810b5315 100644 --- a/nixos/modules/services/hardware/upower.nix +++ b/nixos/modules/services/hardware/upower.nix @@ -37,6 +37,172 @@ in ''; }; + enableWattsUpPro = mkOption { + type = types.bool; + default = false; + description = '' + Enable the Watts Up Pro device. + + The Watts Up Pro contains a generic FTDI USB device without a specific + vendor and product ID. When we probe for WUP devices, we can cause + the user to get a perplexing "Device or resource busy" error when + attempting to use their non-WUP device. + + The generic FTDI device is known to also be used on: + + <itemizedlist> + <listitem><para>Sparkfun FT232 breakout board</para></listitem> + <listitem><para>Parallax Propeller</para></listitem> + </itemizedlist> + ''; + }; + + noPollBatteries = mkOption { + type = types.bool; + default = false; + description = '' + Don't poll the kernel for battery level changes. + + Some hardware will send us battery level changes through + events, rather than us having to poll for it. This option + allows disabling polling for hardware that sends out events. + ''; + }; + + ignoreLid = mkOption { + type = types.bool; + default = false; + description = '' + Do we ignore the lid state + + Some laptops are broken. The lid state is either inverted, or stuck + on or off. We can't do much to fix these problems, but this is a way + for users to make the laptop panel vanish, a state that might be used + by a couple of user-space daemons. On Linux systems, see also + logind.conf(5). + ''; + }; + + usePercentageForPolicy = mkOption { + type = types.bool; + default = true; + description = '' + Policy for warnings and action based on battery levels + + Whether battery percentage based policy should be used. The default + is to use the percentage, which + should work around broken firmwares. It is also more reliable than + the time left (frantically saving all your files is going to use more + battery than letting it rest for example). + ''; + }; + + percentageLow = mkOption { + type = types.ints.unsigned; + default = 10; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>true</literal>, the levels at which UPower will consider the + battery low. + + This will also be used for batteries which don't have time information + such as that of peripherals. + + If any value (of <literal>percentageLow</literal>, + <literal>percentageCritical</literal> and + <literal>percentageAction</literal>) is invalid, or not in descending + order, the defaults will be used. + ''; + }; + + percentageCritical = mkOption { + type = types.ints.unsigned; + default = 3; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>true</literal>, the levels at which UPower will consider the + battery critical. + + This will also be used for batteries which don't have time information + such as that of peripherals. + + If any value (of <literal>percentageLow</literal>, + <literal>percentageCritical</literal> and + <literal>percentageAction</literal>) is invalid, or not in descending + order, the defaults will be used. + ''; + }; + + percentageAction = mkOption { + type = types.ints.unsigned; + default = 2; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>true</literal>, the levels at which UPower will take action + for the critical battery level. + + This will also be used for batteries which don't have time information + such as that of peripherals. + + If any value (of <literal>percentageLow</literal>, + <literal>percentageCritical</literal> and + <literal>percentageAction</literal>) is invalid, or not in descending + order, the defaults will be used. + ''; + }; + + timeLow = mkOption { + type = types.ints.unsigned; + default = 1200; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>false</literal>, the time remaining at which UPower will + consider the battery low. + + If any value (of <literal>timeLow</literal>, + <literal>timeCritical</literal> and <literal>timeAction</literal>) is + invalid, or not in descending order, the defaults will be used. + ''; + }; + + timeCritical = mkOption { + type = types.ints.unsigned; + default = 300; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>false</literal>, the time remaining at which UPower will + consider the battery critical. + + If any value (of <literal>timeLow</literal>, + <literal>timeCritical</literal> and <literal>timeAction</literal>) is + invalid, or not in descending order, the defaults will be used. + ''; + }; + + timeAction = mkOption { + type = types.ints.unsigned; + default = 120; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>false</literal>, the time remaining at which UPower will + take action for the critical battery level. + + If any value (of <literal>timeLow</literal>, + <literal>timeCritical</literal> and <literal>timeAction</literal>) is + invalid, or not in descending order, the defaults will be used. + ''; + }; + + criticalPowerAction = mkOption { + type = types.enum [ "PowerOff" "Hibernate" "HybridSleep" ]; + default = "HybridSleep"; + description = '' + The action to take when <literal>timeAction</literal> or + <literal>percentageAction</literal> has been reached for the batteries + (UPS or laptop batteries) supplying the computer + ''; + }; + }; }; @@ -54,6 +220,21 @@ in systemd.packages = [ cfg.package ]; + environment.etc."UPower/UPower.conf".text = generators.toINI {} { + UPower = { + EnableWattsUpPro = cfg.enableWattsUpPro; + NoPollBatteries = cfg.noPollBatteries; + IgnoreLid = cfg.ignoreLid; + UsePercentageForPolicy = cfg.usePercentageForPolicy; + PercentageLow = cfg.percentageLow; + PercentageCritical = cfg.percentageCritical; + PercentageAction = cfg.percentageAction; + TimeLow = cfg.timeLow; + TimeCritical = cfg.timeCritical; + TimeAction = cfg.timeAction; + CriticalPowerAction = cfg.criticalPowerAction; + }; + }; }; } diff --git a/nixos/modules/services/logging/awstats.nix b/nixos/modules/services/logging/awstats.nix index a92ff3bee49..d51c9a5cffa 100644 --- a/nixos/modules/services/logging/awstats.nix +++ b/nixos/modules/services/logging/awstats.nix @@ -4,31 +4,116 @@ with lib; let cfg = config.services.awstats; - httpd = config.services.httpd; package = pkgs.awstats; -in + configOpts = {name, config, ...}: { + options = { + type = mkOption{ + type = types.enum [ "mail" "web" ]; + default = "web"; + example = "mail"; + description = '' + The type of log being collected. + ''; + }; + domain = mkOption { + type = types.str; + default = name; + description = "The domain name to collect stats for."; + example = "example.com"; + }; + + logFile = mkOption { + type = types.str; + example = "/var/spool/nginx/logs/access.log"; + description = '' + The log file to be scanned. + For mail, set this to + <literal> + journalctl $OLD_CURSOR -u postfix.service | ''${pkgs.perl}/bin/perl ''${pkgs.awstats.out}/share/awstats/tools/maillogconvert.pl standard | + </literal> + ''; + }; + + logFormat = mkOption { + type = types.str; + default = "1"; + description = '' + The log format being used. + + For mail, set this to + <literal> + %time2 %email %email_r %host %host_r %method %url %code %bytesd + </literal> + ''; + }; + + hostAliases = mkOption { + type = types.listOf types.str; + default = []; + example = "[ \"www.example.org\" ]"; + description = '' + List of aliases the site has. + ''; + }; + + extraConfig = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample '' + { + "ValidHTTPCodes" = "404"; + } + ''; + }; + + webService = { + enable = mkEnableOption "awstats web service"; + + hostname = mkOption { + type = types.str; + default = config.domain; + description = "The hostname the web service appears under."; + }; + + urlPrefix = mkOption { + type = types.str; + default = "/awstats"; + description = "The URL prefix under which the awstats pages appear."; + }; + }; + }; + }; + webServices = filterAttrs (name: value: value.webService.enable) cfg.configs; +in { + imports = [ + (mkRemovedOptionModule [ "services" "awstats" "service" "enable" ] "Please enable per domain with `services.awstats.configs.<name>.webService.enable`") + (mkRemovedOptionModule [ "services" "awstats" "service" "urlPrefix" ] "Please set per domain with `services.awstats.configs.<name>.webService.urlPrefix`") + (mkRenamedOptionModule [ "services" "awstats" "vardir" ] [ "services" "awstats" "dataDir" ]) + ]; + options.services.awstats = { - enable = mkOption { - type = types.bool; - default = cfg.service.enable; - description = '' - Enable the awstats program (but not service). - Currently only simple httpd (Apache) configs are supported, - and awstats plugins may not work correctly. - ''; - }; - vardir = mkOption { + enable = mkEnableOption "awstats"; + + dataDir = mkOption { type = types.path; default = "/var/lib/awstats"; - description = "The directory where variable awstats data will be stored."; + description = "The directory where awstats data will be stored."; }; - extraConfig = mkOption { - type = types.lines; - default = ""; - description = "Extra configuration to be appendend to awstats.conf."; + configs = mkOption { + type = types.attrsOf (types.submodule configOpts); + default = {}; + example = literalExample '' + { + "mysite" = { + domain = "example.com"; + logFile = "/var/spool/nginx/logs/access.log"; + }; + } + ''; + description = "Attribute set of domains to collect stats for."; }; updateAt = mkOption { @@ -42,75 +127,129 @@ in <manvolnum>7</manvolnum></citerefentry>) ''; }; - - service = { - enable = mkOption { - type = types.bool; - default = false; - description = ''Enable the awstats web service. This switches on httpd.''; - }; - urlPrefix = mkOption { - type = types.str; - default = "/awstats"; - description = "The URL prefix under which the awstats service appears."; - }; - }; }; config = mkIf cfg.enable { environment.systemPackages = [ package.bin ]; - /* TODO: - - heed config.services.httpd.logPerVirtualHost, etc. - - Can't AllowToUpdateStatsFromBrowser, as CGI scripts don't have permission - to read the logs, and our httpd config apparently doesn't an option for that. - */ - environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf" + + environment.etc = mapAttrs' (name: opts: + nameValuePair "awstats/awstats.${name}.conf" { + source = pkgs.runCommand "awstats.${name}.conf" { preferLocalBuild = true; } - ( let - logFormat = - if httpd.logFormat == "combined" then "1" else - if httpd.logFormat == "common" then "4" else - throw "awstats service doesn't support Apache log format `${httpd.logFormat}`"; - in - '' - sed \ - -e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \ - -e 's|^\(DirIcons\)=.*$|\1="icons"|' \ - -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \ - -e 's|^\(SiteDomain\)=.*$|\1="${httpd.hostName}"|' \ - -e 's|^\(LogFile\)=.*$|\1="${httpd.logDir}/access_log"|' \ - -e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \ - < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out" - echo '${cfg.extraConfig}' >> "$out" - ''); - - systemd.tmpfiles.rules = optionals cfg.service.enable [ - "d '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" - "Z '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" - ]; - - # The httpd sub-service showing awstats. - services.httpd = optionalAttrs cfg.service.enable { - enable = true; - extraConfig = '' - Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/" - Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/" - Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/" - ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/" - - <Directory "${package.out}/wwwroot"> - Options None - Require all granted - </Directory> - ''; - }; + ('' + sed \ + '' + # set up mail stats + + optionalString (opts.type == "mail") + '' + -e 's|^\(LogType\)=.*$|\1=M|' \ + -e 's|^\(LevelForBrowsersDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForOSDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForRefererAnalyze\)=.*$|\1=0|' \ + -e 's|^\(LevelForRobotsDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForSearchEnginesDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForFileTypesDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForWormsDetection\)=.*$|\1=0|' \ + -e 's|^\(ShowMenu\)=.*$|\1=1|' \ + -e 's|^\(ShowSummary\)=.*$|\1=HB|' \ + -e 's|^\(ShowMonthStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowDaysOfMonthStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowDaysOfWeekStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowHoursStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowDomainsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowHostsStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowAuthenticatedUsers\)=.*$|\1=0|' \ + -e 's|^\(ShowRobotsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowEMailSenders\)=.*$|\1=HBML|' \ + -e 's|^\(ShowEMailReceivers\)=.*$|\1=HBML|' \ + -e 's|^\(ShowSessionsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowPagesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowFileTypesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowFileSizesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowBrowsersStats\)=.*$|\1=0|' \ + -e 's|^\(ShowOSStats\)=.*$|\1=0|' \ + -e 's|^\(ShowOriginStats\)=.*$|\1=0|' \ + -e 's|^\(ShowKeyphrasesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowKeywordsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowMiscStats\)=.*$|\1=0|' \ + -e 's|^\(ShowHTTPErrorsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowSMTPErrorsStats\)=.*$|\1=1|' \ + '' + + + # common options + '' + -e 's|^\(DirData\)=.*$|\1="${cfg.dataDir}/${name}"|' \ + -e 's|^\(DirIcons\)=.*$|\1="icons"|' \ + -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \ + -e 's|^\(SiteDomain\)=.*$|\1="${name}"|' \ + -e 's|^\(LogFile\)=.*$|\1="${opts.logFile}"|' \ + -e 's|^\(LogFormat\)=.*$|\1="${opts.logFormat}"|' \ + '' + + + # extra config + concatStringsSep "\n" (mapAttrsToList (n: v: '' + -e 's|^\(${n}\)=.*$|\1="${v}"|' \ + '') opts.extraConfig) + + + '' + < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out" + ''); + }) cfg.configs; - systemd.services.awstats-update = mkIf (cfg.updateAt != null) { - description = "awstats log collector"; - script = "exec '${package.bin}/bin/awstats' -update -config=awstats.conf"; - startAt = cfg.updateAt; - }; + # create data directory with the correct permissions + systemd.tmpfiles.rules = + [ "d '${cfg.dataDir}' 755 root root - -" ] ++ + mapAttrsToList (name: opts: "d '${cfg.dataDir}/${name}' 755 root root - -") cfg.configs ++ + [ "Z '${cfg.dataDir}' 755 root root - -" ]; + + # nginx options + services.nginx.virtualHosts = mapAttrs'(name: opts: { + name = opts.webService.hostname; + value = { + locations = { + "${opts.webService.urlPrefix}/css/" = { + alias = "${package.out}/wwwroot/css/"; + }; + "${opts.webService.urlPrefix}/icons/" = { + alias = "${package.out}/wwwroot/icon/"; + }; + "${opts.webService.urlPrefix}/" = { + alias = "${cfg.dataDir}/${name}/"; + extraConfig = '' + autoindex on; + ''; + }; + }; + }; + }) webServices; + + # update awstats + systemd.services = mkIf (cfg.updateAt != null) (mapAttrs' (name: opts: + nameValuePair "awstats-${name}-update" { + description = "update awstats for ${name}"; + script = optionalString (opts.type == "mail") + '' + if [[ -f "${cfg.dataDir}/${name}-cursor" ]]; then + CURSOR="$(cat "${cfg.dataDir}/${name}-cursor" | tr -d '\n')" + if [[ -n "$CURSOR" ]]; then + echo "Using cursor: $CURSOR" + export OLD_CURSOR="--cursor $CURSOR" + fi + fi + NEW_CURSOR="$(journalctl $OLD_CURSOR -u postfix.service --show-cursor | tail -n 1 | tr -d '\n' | sed -e 's#^-- cursor: \(.*\)#\1#')" + echo "New cursor: $NEW_CURSOR" + ${package.bin}/bin/awstats -update -config=${name} + if [ -n "$NEW_CURSOR" ]; then + echo -n "$NEW_CURSOR" > ${cfg.dataDir}/${name}-cursor + fi + '' + '' + ${package.out}/share/awstats/tools/awstats_buildstaticpages.pl \ + -config=${name} -update -dir=${cfg.dataDir}/${name} \ + -awstatsprog=${package.bin}/bin/awstats + ''; + startAt = cfg.updateAt; + }) cfg.configs); }; } diff --git a/nixos/modules/services/logging/logstash.nix b/nixos/modules/services/logging/logstash.nix index 4943e8d7db3..21a83803fd8 100644 --- a/nixos/modules/services/logging/logstash.nix +++ b/nixos/modules/services/logging/logstash.nix @@ -37,6 +37,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) + (mkRemovedOptionModule [ "services" "logstash" "enableWeb" ] "The web interface was removed from logstash") + ]; + ###### interface options = { diff --git a/nixos/modules/services/logging/syslog-ng.nix b/nixos/modules/services/logging/syslog-ng.nix index 65e103ac2ba..35055311680 100644 --- a/nixos/modules/services/logging/syslog-ng.nix +++ b/nixos/modules/services/logging/syslog-ng.nix @@ -25,6 +25,10 @@ let ]; in { + imports = [ + (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ] "") + (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ] "") + ]; options = { diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 3fd06812c67..2cda8c49f5e 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -86,7 +86,7 @@ let } plugin { - quota_rule = *:storage=${cfg.quotaGlobalPerUser} + quota_rule = *:storage=${cfg.quotaGlobalPerUser} quota = maildir:User quota # per virtual mail user quota # BUG/FIXME broken, we couldn't get this working quota_status_success = DUNNO quota_status_nouser = DUNNO @@ -133,6 +133,9 @@ let }; in { + imports = [ + (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") + ]; options.services.dovecot2 = { enable = mkEnableOption "Dovecot 2.x POP3/IMAP server"; diff --git a/nixos/modules/services/mail/mailcatcher.nix b/nixos/modules/services/mail/mailcatcher.nix index f5b4508b335..84f06ed199d 100644 --- a/nixos/modules/services/mail/mailcatcher.nix +++ b/nixos/modules/services/mail/mailcatcher.nix @@ -25,6 +25,13 @@ in description = "The port address of the http server."; }; + http.path = mkOption { + type = with types; nullOr str; + default = null; + description = "Prefix to all HTTP paths."; + example = "/mailcatcher"; + }; + smtp.ip = mkOption { type = types.str; default = "127.0.0.1"; @@ -53,7 +60,7 @@ in serviceConfig = { DynamicUser = true; Restart = "always"; - ExecStart = "${pkgs.mailcatcher}/bin/mailcatcher --foreground --no-quit --http-ip ${cfg.http.ip} --http-port ${toString cfg.http.port} --smtp-ip ${cfg.smtp.ip} --smtp-port ${toString cfg.smtp.port}"; + ExecStart = "${pkgs.mailcatcher}/bin/mailcatcher --foreground --no-quit --http-ip ${cfg.http.ip} --http-port ${toString cfg.http.port} --smtp-ip ${cfg.smtp.ip} --smtp-port ${toString cfg.smtp.port}" + optionalString (cfg.http.path != null) " --http-path ${cfg.http.path}"; AmbientCapabilities = optionalString (cfg.http.port < 1024 || cfg.smtp.port < 1024) "cap_net_bind_service"; }; }; diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index 253823cbaf9..6431531d5eb 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -18,6 +18,9 @@ let ] ++ optionals (cfg.configFile != null) [ "-x" cfg.configFile ]; in { + imports = [ + (mkRenamedOptionModule [ "services" "opendkim" "keyFile" ] [ "services" "opendkim" "keyPath" ]) + ]; ###### interface diff --git a/nixos/modules/services/mail/opensmtpd.nix b/nixos/modules/services/mail/opensmtpd.nix index a870550ba50..1fabe2da45c 100644 --- a/nixos/modules/services/mail/opensmtpd.nix +++ b/nixos/modules/services/mail/opensmtpd.nix @@ -101,6 +101,12 @@ in { }; }; + systemd.tmpfiles.rules = [ + "d /var/spool/smtpd 711 root - - -" + "d /var/spool/smtpd/offline 770 root smtpq - -" + "d /var/spool/smtpd/purge 700 smtpq root - -" + ]; + systemd.services.opensmtpd = let procEnv = pkgs.buildEnv { name = "opensmtpd-procs"; @@ -110,18 +116,6 @@ in { in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - preStart = '' - mkdir -p /var/spool/smtpd - chmod 711 /var/spool/smtpd - - mkdir -p /var/spool/smtpd/offline - chown root.smtpq /var/spool/smtpd/offline - chmod 770 /var/spool/smtpd/offline - - mkdir -p /var/spool/smtpd/purge - chown smtpq.root /var/spool/smtpd/purge - chmod 700 /var/spool/smtpd/purge - ''; serviceConfig.ExecStart = "${cfg.package}/sbin/smtpd -d -f ${conf} ${args}"; environment.OPENSMTPD_PROC_PATH = "${procEnv}/libexec/opensmtpd"; }; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index d5fd76da970..df438a0c69d 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -631,6 +631,14 @@ in setgid = true; }; + security.wrappers.mailq = { + program = "mailq"; + source = "${pkgs.postfix}/bin/mailq"; + group = setgidGroup; + setuid = false; + setgid = true; + }; + security.wrappers.postqueue = { program = "postqueue"; source = "${pkgs.postfix}/bin/postqueue"; diff --git a/nixos/modules/services/mail/postgrey.nix b/nixos/modules/services/mail/postgrey.nix index 88fb7f0b4ad..709f6b21aa0 100644 --- a/nixos/modules/services/mail/postgrey.nix +++ b/nixos/modules/services/mail/postgrey.nix @@ -42,6 +42,17 @@ with lib; let }; in { + imports = [ + (mkMergedOptionModule [ [ "services" "postgrey" "inetAddr" ] [ "services" "postgrey" "inetPort" ] ] [ "services" "postgrey" "socket" ] (config: let + value = p: getAttrFromPath p config; + inetAddr = [ "services" "postgrey" "inetAddr" ]; + inetPort = [ "services" "postgrey" "inetPort" ]; + in + if value inetAddr == null + then { path = "/run/postgrey.sock"; } + else { addr = value inetAddr; port = value inetPort; } + )) + ]; options = { services.postgrey = with types; { diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index bdedfa1bb70..36dda619ad0 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -160,7 +160,7 @@ in ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create role ${cfg.database.username} with login password '${cfg.database.password}'"; ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create database ${cfg.database.dbname} with owner ${cfg.database.username}"; fi - PGPASSWORD=${cfg.database.password} ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \ + PGPASSWORD="${cfg.database.password}" ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \ -f ${cfg.package}/SQL/postgres.initial.sql \ -h ${cfg.database.host} ${cfg.database.dbname} touch /var/lib/roundcube/db-created diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 4db35d9e89a..f156595e6f8 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -60,7 +60,7 @@ let }; type = mkOption { type = types.nullOr (types.enum [ - "normal" "controller" "fuzzy_storage" "rspamd_proxy" "lua" "proxy" + "normal" "controller" "fuzzy" "rspamd_proxy" "lua" "proxy" ]); description = '' The type of this worker. The type <literal>proxy</literal> is @@ -220,7 +220,6 @@ let in { - ###### interface options = { @@ -414,5 +413,6 @@ in "Socket activation never worked correctly and could at this time not be fixed and so was removed") (mkRenamedOptionModule [ "services" "rspamd" "bindSocket" ] [ "services" "rspamd" "workers" "normal" "bindSockets" ]) (mkRenamedOptionModule [ "services" "rspamd" "bindUISocket" ] [ "services" "rspamd" "workers" "controller" "bindSockets" ]) + (mkRemovedOptionModule [ "services" "rmilter" ] "Use services.rspamd.* instead to set up milter service") ]; } diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix index 798e902ccae..46308f74dc9 100644 --- a/nixos/modules/services/misc/apache-kafka.nix +++ b/nixos/modules/services/misc/apache-kafka.nix @@ -131,7 +131,7 @@ in { home = head cfg.logDirs; }; - systemd.tmpfiles.rules = map (logDir: "d '${logDir} 0700 apache-kafka - - -") cfg.logDirs; + systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs; systemd.services.apache-kafka = { description = "Apache Kafka Daemon"; diff --git a/nixos/modules/services/misc/beanstalkd.nix b/nixos/modules/services/misc/beanstalkd.nix index 06e881406b5..bcd133c9741 100644 --- a/nixos/modules/services/misc/beanstalkd.nix +++ b/nixos/modules/services/misc/beanstalkd.nix @@ -44,7 +44,8 @@ in serviceConfig = { DynamicUser = true; Restart = "always"; - ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port}"; + ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port} -b $STATE_DIRECTORY"; + StateDirectory = "beanstalkd"; }; }; diff --git a/nixos/modules/services/misc/ethminer.nix b/nixos/modules/services/misc/ethminer.nix index 2958cf21447..95afb0460fb 100644 --- a/nixos/modules/services/misc/ethminer.nix +++ b/nixos/modules/services/misc/ethminer.nix @@ -71,7 +71,7 @@ in maxPower = mkOption { type = types.int; - default = 115; + default = 113; description = "Miner max watt usage."; }; @@ -92,7 +92,9 @@ in serviceConfig = { DynamicUser = true; + ExecStartPre = "${pkgs.ethminer}/bin/.ethminer-wrapped --list-devices"; ExecStartPost = optional (cfg.toolkit == "cuda") "+${getBin config.boot.kernelPackages.nvidia_x11}/bin/nvidia-smi -pl ${toString cfg.maxPower}"; + Restart = "always"; }; environment = { diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index c8c59fb256e..258476dd9fe 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -394,6 +394,26 @@ in WorkingDirectory = cfg.stateDir; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; + + # Filesystem + ProtectHome = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ReadWritePaths = cfg.stateDir; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; environment = { @@ -453,4 +473,5 @@ in timerConfig.OnCalendar = cfg.dump.interval; }; }; + meta.maintainers = with lib.maintainers; [ srhb ]; } diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 07ea9c45843..61d0ce0aef8 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -189,6 +189,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ]) + (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "") + ]; + options = { services.gitlab = { enable = mkOption { diff --git a/nixos/modules/services/misc/mame.nix b/nixos/modules/services/misc/mame.nix new file mode 100644 index 00000000000..c5d5e9e4837 --- /dev/null +++ b/nixos/modules/services/misc/mame.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.mame; + mame = "mame${lib.optionalString pkgs.stdenv.is64bit "64"}"; +in +{ + options = { + services.mame = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to setup TUN/TAP Ethernet interface for MAME emulator. + ''; + }; + user = mkOption { + type = types.str; + description = '' + User from which you run MAME binary. + ''; + }; + hostAddr = mkOption { + type = types.str; + description = '' + IP address of the host system. Usually an address of the main network + adapter or the adapter through which you get an internet connection. + ''; + example = "192.168.31.156"; + }; + emuAddr = mkOption { + type = types.str; + description = '' + IP address of the guest system. The same you set inside guest OS under + MAME. Should be on the same subnet as <option>services.mame.hostAddr</option>. + ''; + example = "192.168.31.155"; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.mame ]; + + security.wrappers."${mame}" = { + source = "${pkgs.mame}/bin/${mame}"; + capabilities = "cap_net_admin,cap_net_raw+eip"; + }; + + systemd.services.mame = { + description = "MAME TUN/TAP Ethernet interface"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.iproute ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.mame}/bin/taputil.sh -c ${cfg.user} ${cfg.emuAddr} ${cfg.hostAddr} -"; + ExecStop = "${pkgs.mame}/bin/taputil.sh -d ${cfg.user}"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ gnidorah ]; +} diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 0f4eb2ccfca..0bda8980720 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -407,6 +407,9 @@ in { "192.168.0.0/16" "100.64.0.0/10" "169.254.0.0/16" + "::1/128" + "fe80::/64" + "fc00::/7" ]; description = '' List of IP address CIDR ranges that the URL preview spider is denied @@ -668,43 +671,30 @@ in { gid = config.ids.gids.matrix-synapse; } ]; - services.postgresql.enable = mkIf usePostgresql (mkDefault true); + services.postgresql = mkIf (usePostgresql && cfg.create_local_database) { + enable = mkDefault true; + ensureDatabases = [ cfg.database_name ]; + ensureUsers = [{ + name = cfg.database_user; + ensurePermissions = { "DATABASE \"${cfg.database_name}\"" = "ALL PRIVILEGES"; }; + }]; + }; systemd.services.matrix-synapse = { description = "Synapse Matrix homeserver"; - after = [ "network.target" "postgresql.service" ]; + after = [ "network.target" ] ++ lib.optional config.services.postgresql.enable "postgresql.service" ; wantedBy = [ "multi-user.target" ]; preStart = '' ${cfg.package}/bin/homeserver \ --config-path ${configFile} \ --keys-directory ${cfg.dataDir} \ --generate-keys - '' + optionalString (usePostgresql && cfg.create_local_database) '' - if ! test -e "${cfg.dataDir}/db-created"; then - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ - ${pg.package}/bin/createuser \ - --login \ - --no-createdb \ - --no-createrole \ - --encrypted \ - ${cfg.database_user} - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ - ${pg.package}/bin/createdb \ - --owner=${cfg.database_user} \ - --encoding=UTF8 \ - --lc-collate=C \ - --lc-ctype=C \ - --template=template0 \ - ${cfg.database_name} - touch "${cfg.dataDir}/db-created" - fi ''; serviceConfig = { Type = "notify"; User = "matrix-synapse"; Group = "matrix-synapse"; WorkingDirectory = cfg.dataDir; - PermissionsStartOnly = true; ExecStart = '' ${cfg.package}/bin/homeserver \ ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index dcec4d4fc6c..24780446d50 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -68,6 +68,10 @@ let in { + imports = [ + (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) + (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) + ]; ###### interface diff --git a/nixos/modules/services/misc/nzbget.nix b/nixos/modules/services/misc/nzbget.nix index eb7b4c05d82..715ec891cd6 100644 --- a/nixos/modules/services/misc/nzbget.nix +++ b/nixos/modules/services/misc/nzbget.nix @@ -27,6 +27,12 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "misc" "nzbget" "configFile" ] "The configuration of nzbget is now managed by users through the web interface.") + (mkRemovedOptionModule [ "services" "misc" "nzbget" "dataDir" ] "The data directory for nzbget is now /var/lib/nzbget.") + (mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.") + ]; + # interface options = { diff --git a/nixos/modules/services/misc/parsoid.nix b/nixos/modules/services/misc/parsoid.nix index c757093e5c1..61626e78f8b 100644 --- a/nixos/modules/services/misc/parsoid.nix +++ b/nixos/modules/services/misc/parsoid.nix @@ -26,6 +26,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] "Use services.parsoid.wikis instead") + ]; + ##### interface options = { diff --git a/nixos/modules/services/misc/pykms.nix b/nixos/modules/services/misc/pykms.nix index e2d1254602b..25aa27ae767 100644 --- a/nixos/modules/services/misc/pykms.nix +++ b/nixos/modules/services/misc/pykms.nix @@ -9,6 +9,10 @@ let in { meta.maintainers = with lib.maintainers; [ peterhoeg ]; + imports = [ + (mkRemovedOptionModule [ "services" "pykms" "verbose" ] "Use services.pykms.logLevel instead") + ]; + options = { services.pykms = { enable = mkOption { diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index 24b9e27ac2d..bf9a6914a48 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -62,20 +62,11 @@ in services.redmine = { enable = mkEnableOption "Redmine"; - # default to the 4.x series not forcing major version upgrade of those on the 3.x series package = mkOption { type = types.package; - default = if versionAtLeast config.system.stateVersion "19.03" - then pkgs.redmine_4 - else pkgs.redmine - ; - defaultText = "pkgs.redmine"; - description = '' - Which Redmine package to use. This defaults to version 3.x if - <literal>system.stateVersion < 19.03</literal> and version 4.x - otherwise. - ''; - example = "pkgs.redmine_4.override { ruby = pkgs.ruby_2_4; }"; + default = pkgs.redmine; + description = "Which Redmine package to use."; + example = "pkgs.redmine.override { ruby = pkgs.ruby_2_4; }"; }; user = mkOption { diff --git a/nixos/modules/services/misc/tautulli.nix b/nixos/modules/services/misc/tautulli.nix index 50e45036647..aded33629f1 100644 --- a/nixos/modules/services/misc/tautulli.nix +++ b/nixos/modules/services/misc/tautulli.nix @@ -6,6 +6,10 @@ let cfg = config.services.tautulli; in { + imports = [ + (mkRenamedOptionModule [ "services" "plexpy" ] [ "services" "tautulli" ]) + ]; + options = { services.tautulli = { enable = mkEnableOption "Tautulli Plex Monitor"; diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index 3bff04e7127..d7f7324580c 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -265,7 +265,7 @@ in { } location /cache/ { - alias /var/cache/${dirName}; + alias /var/cache/${dirName}/; } location ~ \.php$ { diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index bf1084eecc3..0f8bc2471e3 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -43,7 +43,7 @@ let ANALYTICS_REPORTING_ENABLED = boolToString cfg.analytics.reporting.enable; - SMTP_ENABLE = boolToString cfg.smtp.enable; + SMTP_ENABLED = boolToString cfg.smtp.enable; SMTP_HOST = cfg.smtp.host; SMTP_USER = cfg.smtp.user; SMTP_PASSWORD = cfg.smtp.password; diff --git a/nixos/modules/services/monitoring/nagios.nix b/nixos/modules/services/monitoring/nagios.nix index 6a3b9776946..4128bc12030 100644 --- a/nixos/modules/services/monitoring/nagios.nix +++ b/nixos/modules/services/monitoring/nagios.nix @@ -8,6 +8,7 @@ let nagiosState = "/var/lib/nagios"; nagiosLogDir = "/var/log/nagios"; + urlPath = "/nagios"; nagiosObjectDefs = cfg.objectDefs; @@ -49,12 +50,12 @@ let '' main_config_file=${cfg.mainConfigFile} use_authentication=0 - url_html_path=${cfg.urlPath} + url_html_path=${urlPath} ''; extraHttpdConfig = '' - ScriptAlias ${cfg.urlPath}/cgi-bin ${pkgs.nagios}/sbin + ScriptAlias ${urlPath}/cgi-bin ${pkgs.nagios}/sbin <Directory "${pkgs.nagios}/sbin"> Options ExecCGI @@ -62,7 +63,7 @@ let SetEnv NAGIOS_CGI_CONFIG ${cfg.cgiConfigFile} </Directory> - Alias ${cfg.urlPath} ${pkgs.nagios}/share + Alias ${urlPath} ${pkgs.nagios}/share <Directory "${pkgs.nagios}/share"> Options None @@ -72,6 +73,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "nagios" "urlPath" ] "The urlPath option has been removed as it is hard coded to /nagios in the nagios package.") + ]; + options = { services.nagios = { enable = mkOption { @@ -128,13 +133,20 @@ in "; }; - urlPath = mkOption { - default = "/nagios"; - description = " - The URL path under which the Nagios web interface appears. - That is, you can access the Nagios web interface through - <literal>http://<replaceable>server</replaceable>/<replaceable>urlPath</replaceable></literal>. - "; + virtualHost = mkOption { + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { hostName = "example.org"; + adminAddr = "webmaster@example.org"; + enableSSL = true; + sslServerCert = "/var/lib/acme/example.org/full.pem"; + sslServerKey = "/var/lib/acme/example.org/key.pem"; + } + ''; + description = '' + Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>. + See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. + ''; }; }; }; @@ -182,6 +194,8 @@ in ''; }; - services.httpd.extraConfig = optionalString cfg.enableWebInterface extraHttpdConfig; + services.httpd.virtualHosts = optionalAttrs cfg.enableWebInterface { + ${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { extraConfig = extraHttpdConfig; } ]; + }; }; } diff --git a/nixos/modules/services/monitoring/osquery.nix b/nixos/modules/services/monitoring/osquery.nix deleted file mode 100644 index c8c625577d3..00000000000 --- a/nixos/modules/services/monitoring/osquery.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; - -let - cfg = config.services.osquery; - -in - -{ - - options = { - - services.osquery = { - - enable = mkEnableOption "osquery"; - - loggerPath = mkOption { - type = types.path; - description = "Base directory used for logging."; - default = "/var/log/osquery"; - }; - - pidfile = mkOption { - type = types.path; - description = "Path used for pid file."; - default = "/var/osquery/osqueryd.pidfile"; - }; - - utc = mkOption { - type = types.bool; - description = "Attempt to convert all UNIX calendar times to UTC."; - default = true; - }; - - databasePath = mkOption { - type = types.path; - description = "Path used for database file."; - default = "/var/osquery/osquery.db"; - }; - - extraConfig = mkOption { - type = types.attrs // { - merge = loc: foldl' (res: def: recursiveUpdate res def.value) {}; - }; - description = "Extra config to be recursively merged into the JSON config file."; - default = { }; - }; - }; - - }; - - config = mkIf cfg.enable { - - environment.systemPackages = [ pkgs.osquery ]; - - environment.etc."osquery/osquery.conf".text = toJSON ( - recursiveUpdate { - options = { - config_plugin = "filesystem"; - logger_plugin = "filesystem"; - logger_path = cfg.loggerPath; - database_path = cfg.databasePath; - utc = cfg.utc; - }; - } cfg.extraConfig - ); - - systemd.services.osqueryd = { - description = "The osquery Daemon"; - after = [ "network.target" "syslog.service" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.osquery ]; - preStart = '' - mkdir -p ${escapeShellArg cfg.loggerPath} - mkdir -p "$(dirname ${escapeShellArg cfg.pidfile})" - mkdir -p "$(dirname ${escapeShellArg cfg.databasePath})" - ''; - serviceConfig = { - TimeoutStartSec = "infinity"; - ExecStart = "${pkgs.osquery}/bin/osqueryd --logger_path ${escapeShellArg cfg.loggerPath} --pidfile ${escapeShellArg cfg.pidfile} --database_path ${escapeShellArg cfg.databasePath}"; - KillMode = "process"; - KillSignal = "SIGTERM"; - Restart = "on-failure"; - }; - }; - - }; - -} diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixos/modules/services/monitoring/prometheus/alertmanager.nix index 11d85e9c4fc..9af6b1d94f3 100644 --- a/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -27,6 +27,15 @@ let "--log.format ${cfg.logFormat}" ); in { + imports = [ + (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.") + (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.") + (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerURL" ] '' + Due to incompatibility, the alertmanagerURL option has been removed, + please use 'services.prometheus2.alertmanagers' instead. + '') + ]; + options = { services.prometheus.alertmanager = { enable = mkEnableOption "Prometheus Alertmanager"; diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 191c0bff9c8..b67f697ca0d 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -464,6 +464,11 @@ let }; in { + + imports = [ + (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) + ]; + options.services.prometheus = { enable = mkOption { diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 35b513bac57..36ebffa4463 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -160,6 +160,24 @@ let }; in { + + imports = (lib.forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" + "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" + "snmpExporter" "unifiExporter" "varnishExporter" ] + (opt: lib.mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' + The prometheus exporters are now configured using `services.prometheus.exporters'. + See the 18.03 release notes for more information. + '' )) + + ++ (lib.forEach [ "enable" "substitutions" "preset" ] + (opt: lib.mkRemovedOptionModule [ "fonts" "fontconfig" "ultimate" "${opt}" ] '' + The fonts.fontconfig.ultimate module and configuration is obsolete. + The repository has since been archived and activity has ceased. + https://github.com/bohoomil/fontconfig-ultimate/issues/171. + No action should be needed for font configuration, as the fonts.fontconfig + module is already used by default. + '' )); + options.services.prometheus.exporters = mkOption { type = types.submodule { options = (mkSubModules); @@ -197,6 +215,9 @@ in services.prometheus.exporters.minio.minioAccessSecret = mkDefault config.services.minio.secretKey; })] ++ [(mkIf config.services.rspamd.enable { services.prometheus.exporters.rspamd.url = mkDefault "http://localhost:11334/stat"; + })] ++ [(mkIf config.services.nginx.enable { + systemd.services.prometheus-nginx-exporter.after = [ "nginx.service" ]; + systemd.services.prometheus-nginx-exporter.requires = [ "nginx.service" ]; })] ++ (mapAttrsToList (name: conf: mkExporterConf { inherit name; diff --git a/nixos/modules/services/monitoring/zabbix-server.nix b/nixos/modules/services/monitoring/zabbix-server.nix index e9f1590760a..b4e4378ce1e 100644 --- a/nixos/modules/services/monitoring/zabbix-server.nix +++ b/nixos/modules/services/monitoring/zabbix-server.nix @@ -44,6 +44,11 @@ let in { + imports = [ + (lib.mkRenamedOptionModule [ "services" "zabbixServer" "dbServer" ] [ "services" "zabbixServer" "database" "host" ]) + (lib.mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") + ]; + # interface options = { diff --git a/nixos/modules/services/network-filesystems/beegfs.nix b/nixos/modules/services/network-filesystems/beegfs.nix deleted file mode 100644 index 2e03a422665..00000000000 --- a/nixos/modules/services/network-filesystems/beegfs.nix +++ /dev/null @@ -1,357 +0,0 @@ -{ config, lib, pkgs, ...} : - -with lib; - -let - cfg = config.services.beegfs; - - # functions for the generations of config files - - configMgmtd = name: cfg: pkgs.writeText "mgmt-${name}.conf" '' - storeMgmtdDirectory = ${cfg.mgmtd.storeDir} - storeAllowFirstRunInit = false - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.mgmtd.extraConfig} - ''; - - configAdmon = name: cfg: pkgs.writeText "admon-${name}.conf" '' - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.admon.extraConfig} - ''; - - configMeta = name: cfg: pkgs.writeText "meta-${name}.conf" '' - storeMetaDirectory = ${cfg.meta.storeDir} - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - storeAllowFirstRunInit = false - - ${cfg.meta.extraConfig} - ''; - - configStorage = name: cfg: pkgs.writeText "storage-${name}.conf" '' - storeStorageDirectory = ${cfg.storage.storeDir} - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - storeAllowFirstRunInit = false - - ${cfg.storage.extraConfig} - ''; - - configHelperd = name: cfg: pkgs.writeText "helperd-${name}.conf" '' - connAuthFile = ${cfg.connAuthFile} - ${cfg.helperd.extraConfig} - ''; - - configClientFilename = name : "/etc/beegfs/client-${name}.conf"; - - configClient = name: cfg: '' - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.client.extraConfig} - ''; - - serviceList = [ - { service = "admon"; cfgFile = configAdmon; } - { service = "meta"; cfgFile = configMeta; } - { service = "mgmtd"; cfgFile = configMgmtd; } - { service = "storage"; cfgFile = configStorage; } - ]; - - # functions to generate systemd.service entries - - systemdEntry = service: cfgFile: (mapAttrs' ( name: cfg: - (nameValuePair "beegfs-${service}-${name}" (mkIf cfg.${service}.enable { - wantedBy = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = rec { - ExecStart = '' - ${pkgs.beegfs}/bin/beegfs-${service} \ - cfgFile=${cfgFile name cfg} \ - pidFile=${PIDFile} - ''; - PIDFile = "/run/beegfs-${service}-${name}.pid"; - TimeoutStopSec = "300"; - }; - }))) cfg); - - systemdHelperd = mapAttrs' ( name: cfg: - (nameValuePair "beegfs-helperd-${name}" (mkIf cfg.client.enable { - wantedBy = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = rec { - ExecStart = '' - ${pkgs.beegfs}/bin/beegfs-helperd \ - cfgFile=${configHelperd name cfg} \ - pidFile=${PIDFile} - ''; - PIDFile = "/run/beegfs-helperd-${name}.pid"; - TimeoutStopSec = "300"; - }; - }))) cfg; - - # wrappers to beegfs tools. Avoid typing path of config files - utilWrappers = mapAttrsToList ( name: cfg: - ( pkgs.runCommand "beegfs-utils-${name}" { - nativeBuildInputs = [ pkgs.makeWrapper ]; - preferLocalBuild = true; - } '' - mkdir -p $out/bin - - makeWrapper ${pkgs.beegfs}/bin/beegfs-check-servers \ - $out/bin/beegfs-check-servers-${name} \ - --add-flags "-c ${configClientFilename name}" \ - --prefix PATH : ${lib.makeBinPath [ pkgs.beegfs ]} - - makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \ - $out/bin/beegfs-ctl-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" - - makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \ - $out/bin/beegfs-df-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" \ - --add-flags --listtargets \ - --add-flags --hidenodeid \ - --add-flags --pools \ - --add-flags --spaceinfo - - makeWrapper ${pkgs.beegfs}/bin/beegfs-fsck \ - $out/bin/beegfs-fsck-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" - '' - )) cfg; -in -{ - ###### interface - - options = { - services.beegfsEnable = mkEnableOption "BeeGFS"; - - services.beegfs = mkOption { - default = {}; - description = '' - BeeGFS configurations. Every mount point requires a separate configuration. - ''; - type = with types; attrsOf (submodule ({ ... } : { - options = { - mgmtdHost = mkOption { - type = types.str; - default = null; - example = "master"; - description = ''Hostname of managament host.''; - }; - - connAuthFile = mkOption { - type = types.str; - default = ""; - example = "/etc/my.key"; - description = "File containing shared secret authentication."; - }; - - connPortShift = mkOption { - type = types.int; - default = 0; - example = 5; - description = '' - For each additional beegfs configuration shift all - service TCP/UDP ports by at least 5. - ''; - }; - - client = { - enable = mkEnableOption "BeeGFS client"; - - mount = mkOption { - type = types.bool; - default = true; - description = "Create fstab entry automatically"; - }; - - mountPoint = mkOption { - type = types.str; - default = "/run/beegfs"; - description = '' - Mount point under which the beegfs filesytem should be mounted. - If mounted manually the mount option specifing the config file is needed: - cfgFile=/etc/beegfs/beegfs-client-<name>.conf - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-client.conf. - See documentation for further details. - ''; - }; - }; - - helperd = { - enable = mkOption { - type = types.bool; - default = true; - description = '' - Enable the BeeGFS helperd. - The helpered is need for logging purposes on the client. - Disabling <literal>helperd</literal> allows for runing the client - with <literal>allowUnfree = false</literal>. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-helperd.conf. See documentation - for further details. - ''; - }; - }; - - mgmtd = { - enable = mkEnableOption "BeeGFS mgmtd daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-mgmtd"; - description = '' - Data directory for mgmtd. - Must not be shared with other beegfs daemons. - This directory must exist and it must be initialized - with beegfs-setup-mgmtd, e.g. "beegfs-setup-mgmtd -C -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-mgmtd.conf. See documentation - for further details. - ''; - }; - }; - - admon = { - enable = mkEnableOption "BeeGFS admon daemon"; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-admon.conf. See documentation - for further details. - ''; - }; - }; - - meta = { - enable = mkEnableOption "BeeGFS meta data daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-meta"; - description = '' - Data directory for meta data service. - Must not be shared with other beegfs daemons. - The underlying filesystem must be mounted with xattr turned on. - This directory must exist and it must be initialized - with beegfs-setup-meta, e.g. - "beegfs-setup-meta -C -s <serviceID> -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Additional lines for beegfs-meta.conf. See documentation - for further details. - ''; - }; - }; - - storage = { - enable = mkEnableOption "BeeGFS storage daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-storage"; - description = '' - Data directories for storage service. - Must not be shared with other beegfs daemons. - The underlying filesystem must be mounted with xattr turned on. - This directory must exist and it must be initialized - with beegfs-setup-storage, e.g. - "beegfs-setup-storage -C -s <serviceID> -i <storageTargetID> -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Addional lines for beegfs-storage.conf. See documentation - for further details. - ''; - }; - }; - }; - })); - }; - }; - - ###### implementation - - config = - mkIf config.services.beegfsEnable { - - environment.systemPackages = utilWrappers; - - # Put the client.conf files in /etc since they are needed - # by the commandline tools - environment.etc = mapAttrs' ( name: cfg: - (nameValuePair "beegfs/client-${name}.conf" (mkIf (cfg.client.enable) - { - enable = true; - text = configClient name cfg; - }))) cfg; - - # Kernel module, we need it only once per host. - boot = mkIf ( - foldr (a: b: a || b) false - (map (x: x.client.enable) (collect (x: x ? client) cfg))) - { - kernelModules = [ "beegfs" ]; - extraModulePackages = [ pkgs.linuxPackages.beegfs-module ]; - }; - - # generate fstab entries - fileSystems = mapAttrs' (name: cfg: - (nameValuePair cfg.client.mountPoint (optionalAttrs cfg.client.mount (mkIf cfg.client.enable { - device = "beegfs_nodev"; - fsType = "beegfs"; - mountPoint = cfg.client.mountPoint; - options = [ "cfgFile=${configClientFilename name}" "_netdev" ]; - })))) cfg; - - # generate systemd services - systemd.services = systemdHelperd // - foldr (a: b: a // b) {} - (map (x: systemdEntry x.service x.cfgFile) serviceList); - }; -} diff --git a/nixos/modules/services/network-filesystems/ceph.nix b/nixos/modules/services/network-filesystems/ceph.nix index 656a2d21b86..543a7b25d5d 100644 --- a/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixos/modules/services/network-filesystems/ceph.nix @@ -9,12 +9,14 @@ let expandCamelCase = replaceStrings upperChars (map (s: " ${s}") lowerChars); expandCamelCaseAttrs = mapAttrs' (name: value: nameValuePair (expandCamelCase name) value); - makeServices = (daemonType: daemonIds: extraServiceConfig: + makeServices = (daemonType: daemonIds: mkMerge (map (daemonId: - { "ceph-${daemonType}-${daemonId}" = makeService daemonType daemonId cfg.global.clusterName pkgs.ceph extraServiceConfig; }) + { "ceph-${daemonType}-${daemonId}" = makeService daemonType daemonId cfg.global.clusterName pkgs.ceph; }) daemonIds)); - makeService = (daemonType: daemonId: clusterName: ceph: extraServiceConfig: { + makeService = (daemonType: daemonId: clusterName: ceph: + let + stateDirectory = "ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}"; in { enable = true; description = "Ceph ${builtins.replaceStrings lowerChars upperChars daemonType} daemon ${daemonId}"; after = [ "network-online.target" "time-sync.target" ] ++ optional (daemonType == "osd") "ceph-mon.target"; @@ -22,6 +24,11 @@ let partOf = [ "ceph-${daemonType}.target" ]; wantedBy = [ "ceph-${daemonType}.target" ]; + path = [ pkgs.getopt ]; + + # Don't start services that are not yet initialized + unitConfig.ConditionPathExists = "/var/lib/${stateDirectory}/keyring"; + serviceConfig = { LimitNOFILE = 1048576; LimitNPROC = 1048576; @@ -34,22 +41,22 @@ let Restart = "on-failure"; StartLimitBurst = "5"; StartLimitInterval = "30min"; + StateDirectory = stateDirectory; + User = "ceph"; + Group = if daemonType == "osd" then "disk" else "ceph"; ExecStart = ''${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} \ - -f --cluster ${clusterName} --id ${daemonId} --setuser ceph \ - --setgroup ${if daemonType == "osd" then "disk" else "ceph"}''; - } // extraServiceConfig - // optionalAttrs (daemonType == "osd") { ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh \ - --id ${daemonId} --cluster ${clusterName}''; }; - } // optionalAttrs (builtins.elem daemonType [ "mds" "mon" "rgw" "mgr" ]) { - preStart = '' - daemonPath="/var/lib/ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}" - if [ ! -d $daemonPath ]; then - mkdir -m 755 -p $daemonPath - chown -R ceph:ceph $daemonPath - fi - ''; - } // optionalAttrs (daemonType == "osd") { path = [ pkgs.getopt ]; } - ); + -f --cluster ${clusterName} --id ${daemonId}''; + } // optionalAttrs (daemonType == "osd") { + ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}''; + StartLimitBurst = "30"; + RestartSec = "20s"; + PrivateDevices = "no"; # osd needs disk access + } // optionalAttrs ( daemonType == "mon") { + RestartSec = "10"; + } // optionalAttrs (lib.elem daemonType ["mgr" "mds"]) { + StartLimitBurst = "3"; + }; + }); makeTarget = (daemonType: { @@ -58,6 +65,7 @@ let partOf = [ "ceph.target" ]; wantedBy = [ "ceph.target" ]; before = [ "ceph.target" ]; + unitConfig.StopWhenUnneeded = true; }; } ); @@ -377,22 +385,22 @@ in systemd.services = let services = [] - ++ optional cfg.mon.enable (makeServices "mon" cfg.mon.daemons { RestartSec = "10"; }) - ++ optional cfg.mds.enable (makeServices "mds" cfg.mds.daemons { StartLimitBurst = "3"; }) - ++ optional cfg.osd.enable (makeServices "osd" cfg.osd.daemons { StartLimitBurst = "30"; - RestartSec = "20s"; - PrivateDevices = "no"; # osd needs disk access - }) - ++ optional cfg.rgw.enable (makeServices "rgw" cfg.rgw.daemons { }) - ++ optional cfg.mgr.enable (makeServices "mgr" cfg.mgr.daemons { StartLimitBurst = "3"; }); + ++ optional cfg.mon.enable (makeServices "mon" cfg.mon.daemons) + ++ optional cfg.mds.enable (makeServices "mds" cfg.mds.daemons) + ++ optional cfg.osd.enable (makeServices "osd" cfg.osd.daemons) + ++ optional cfg.rgw.enable (makeServices "rgw" cfg.rgw.daemons) + ++ optional cfg.mgr.enable (makeServices "mgr" cfg.mgr.daemons); in mkMerge services; systemd.targets = let targets = [ - { ceph = { description = "Ceph target allowing to start/stop all ceph service instances at once"; - wantedBy = [ "multi-user.target" ]; }; } - ] ++ optional cfg.mon.enable (makeTarget "mon") + { ceph = { + description = "Ceph target allowing to start/stop all ceph service instances at once"; + wantedBy = [ "multi-user.target" ]; + unitConfig.StopWhenUnneeded = true; + }; } ] + ++ optional cfg.mon.enable (makeTarget "mon") ++ optional cfg.mds.enable (makeTarget "mds") ++ optional cfg.osd.enable (makeTarget "osd") ++ optional cfg.rgw.enable (makeTarget "rgw") @@ -401,7 +409,11 @@ in mkMerge targets; systemd.tmpfiles.rules = [ + "d /etc/ceph - ceph ceph - -" "d /run/ceph 0770 ceph ceph -" - ]; + "d /var/lib/ceph - ceph ceph - -"] + ++ optionals cfg.mgr.enable [ "d /var/lib/ceph/mgr - ceph ceph - -"] + ++ optionals cfg.mon.enable [ "d /var/lib/ceph/mon - ceph ceph - -"] + ++ optionals cfg.osd.enable [ "d /var/lib/ceph/osd - ceph ceph - -"]; }; } diff --git a/nixos/modules/services/network-filesystems/nfsd.nix b/nixos/modules/services/network-filesystems/nfsd.nix index 1a78f9a76a3..1b62bfa8203 100644 --- a/nixos/modules/services/network-filesystems/nfsd.nix +++ b/nixos/modules/services/network-filesystems/nfsd.nix @@ -11,6 +11,10 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ]) + (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ]) + ]; ###### interface diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index ce565dbaab8..a3c22ce6948 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -12,11 +12,6 @@ let samba = cfg.package; - setupScript = - '' - mkdir -p /var/lock/samba /var/log/samba /var/cache/samba /var/lib/samba/private - ''; - shareConfig = name: let share = getAttr name cfg.shares; in "[${name}]\n " + (smbToString ( @@ -45,7 +40,7 @@ let daemonService = appName: args: { description = "Samba Service Daemon ${appName}"; - after = [ "network.target" ]; + after = [ (mkIf (cfg.enableNmbd && "${appName}" == "smbd") "samba-nmbd.service") ]; requiredBy = [ "samba.target" ]; partOf = [ "samba.target" ]; @@ -62,6 +57,7 @@ let Type = "notify"; NotifyAccess = "all"; #may not do anything... }; + unitConfig.RequiresMountsFor = "/var/lib/samba"; restartTriggers = [ configFile ]; }; @@ -69,6 +65,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "") + ]; ###### interface @@ -119,7 +118,7 @@ in type = types.package; default = pkgs.samba; defaultText = "pkgs.samba"; - example = literalExample "pkgs.samba3"; + example = literalExample "pkgs.samba4Full"; description = '' Defines which package should be used for the samba server. ''; @@ -228,8 +227,7 @@ in systemd = { targets.samba = { description = "Samba Server"; - requires = [ "samba-setup.service" ]; - after = [ "samba-setup.service" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; }; # Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd @@ -238,12 +236,13 @@ in samba-smbd = daemonService "smbd" ""; samba-nmbd = mkIf cfg.enableNmbd (daemonService "nmbd" ""); samba-winbindd = mkIf cfg.enableWinbindd (daemonService "winbindd" ""); - samba-setup = { - description = "Samba Setup Task"; - script = setupScript; - unitConfig.RequiresMountsFor = "/var/lib/samba"; - }; }; + tmpfiles.rules = [ + "d /var/lock/samba - - - - -" + "d /var/log/samba - - - - -" + "d /var/cache/samba - - - - -" + "d /var/lib/samba/private - - - - -" + ]; }; security.pam.services.samba = {}; diff --git a/nixos/modules/services/networking/3proxy.nix b/nixos/modules/services/networking/3proxy.nix new file mode 100644 index 00000000000..26aa1667946 --- /dev/null +++ b/nixos/modules/services/networking/3proxy.nix @@ -0,0 +1,424 @@ +{ config, lib, pkgs, ... }: +with lib; +let + pkg = pkgs._3proxy; + cfg = config.services._3proxy; + optionalList = list: if list == [ ] then "*" else concatMapStringsSep "," toString list; +in { + options.services._3proxy = { + enable = mkEnableOption "3proxy"; + confFile = mkOption { + type = types.path; + example = "/var/lib/3proxy/3proxy.conf"; + description = '' + Ignore all other 3proxy options and load configuration from this file. + ''; + }; + usersFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/3proxy/3proxy.passwd"; + description = '' + Load users and passwords from this file. + + Example users file with plain-text passwords: + + <literal> + test1:CL:password1 + test2:CL:password2 + </literal> + + Example users file with md5-crypted passwords: + + <literal> + test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1 + test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME. + </literal> + + You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ + Note that htpasswd tool generates incompatible md5-crypted passwords. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/How-To-(incomplete)#USERS">documentation</link> for more information. + ''; + }; + services = mkOption { + type = types.listOf (types.submodule { + options = { + type = mkOption { + type = types.enum [ + "proxy" + "socks" + "pop3p" + "ftppr" + "admin" + "dnspr" + "tcppm" + "udppm" + ]; + example = "proxy"; + description = '' + Service type. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"proxy"</literal>: HTTP/HTTPS proxy (default port 3128). + </para></listitem> + <listitem><para> + <literal>"socks"</literal>: SOCKS 4/4.5/5 proxy (default port 1080). + </para></listitem> + <listitem><para> + <literal>"pop3p"</literal>: POP3 proxy (default port 110). + </para></listitem> + <listitem><para> + <literal>"ftppr"</literal>: FTP proxy (default port 21). + </para></listitem> + <listitem><para> + <literal>"admin"</literal>: Web interface (default port 80). + </para></listitem> + <listitem><para> + <literal>"dnspr"</literal>: Caching DNS proxy (default port 53). + </para></listitem> + <listitem><para> + <literal>"tcppm"</literal>: TCP portmapper. + </para></listitem> + <listitem><para> + <literal>"udppm"</literal>: UDP portmapper. + </para></listitem> + </itemizedlist> + ''; + }; + bindAddress = mkOption { + type = types.str; + default = "[::]"; + example = "127.0.0.1"; + description = '' + Address used for service. + ''; + }; + bindPort = mkOption { + type = types.nullOr types.int; + default = null; + example = 3128; + description = '' + Override default port used for service. + ''; + }; + maxConnections = mkOption { + type = types.int; + default = 100; + example = 1000; + description = '' + Maximum number of simulationeous connections to this service. + ''; + }; + auth = mkOption { + type = types.listOf (types.enum [ "none" "iponly" "strong" ]); + example = [ "iponly" "strong" ]; + description = '' + Authentication type. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"none"</literal>: disables both authentication and authorization. You can not use ACLs. + </para></listitem> + <listitem><para> + <literal>"iponly"</literal>: specifies no authentication. ACLs authorization is used. + </para></listitem> + <listitem><para> + <literal>"strong"</literal>: authentication by username/password. If user is not registered his access is denied regardless of ACLs. + </para></listitem> + </itemizedlist> + + Double authentication is possible, e.g. + + <literal> + { + auth = [ "iponly" "strong" ]; + acl = [ + { + rule = "allow"; + targets = [ "192.168.0.0/16" ]; + } + { + rule = "allow" + users = [ "user1" "user2" ]; + } + ]; + } + </literal> + In this example strong username authentication is not required to access 192.168.0.0/16. + ''; + }; + acl = mkOption { + type = types.listOf (types.submodule { + options = { + rule = mkOption { + type = types.enum [ "allow" "deny" ]; + example = "allow"; + description = '' + ACL rule. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"allow"</literal>: connections allowed. + </para></listitem> + <listitem><para> + <literal>"deny"</literal>: connections not allowed. + </para></listitem> + </itemizedlist> + ''; + }; + users = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "user1" "user2" "user3" ]; + description = '' + List of users, use empty list for any. + ''; + }; + sources = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.1" "192.168.1.0/24" ]; + description = '' + List of source IP range, use empty list for any. + ''; + }; + targets = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.1" "192.168.1.0/24" ]; + description = '' + List of target IP ranges, use empty list for any. + May also contain host names instead of addresses. + It's possible to use wildmask in the begginning and in the the end of hostname, e.g. *badsite.com or *badcontent*. + Hostname is only checked if hostname presents in request. + ''; + }; + targetPorts = mkOption { + type = types.listOf types.int; + default = [ ]; + example = [ 80 443 ]; + description = '' + List of target ports, use empty list for any. + ''; + }; + }; + }); + default = [ ]; + example = literalExample '' + [ + { + rule = "allow"; + users = [ "user1" ]; + } + { + rule = "allow"; + sources = [ "192.168.1.0/24" ]; + } + { + rule = "deny"; + } + ] + ''; + description = '' + Use this option to limit user access to resources. + ''; + }; + extraArguments = mkOption { + type = types.nullOr types.str; + default = null; + example = "-46"; + description = '' + Extra arguments for service. + Consult "Options" section in <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available arguments. + ''; + }; + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Extra configuration for service. Use this to configure things like bandwidth limiter or ACL-based redirection. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available options. + ''; + }; + }; + }); + default = [ ]; + example = literalExample '' + [ + { + type = "proxy"; + bindAddress = "192.168.1.24"; + bindPort = 3128; + auth = [ "none" ]; + } + { + type = "proxy"; + bindAddress = "10.10.1.20"; + bindPort = 3128; + auth = [ "iponly" ]; + } + { + type = "socks"; + bindAddress = "172.17.0.1"; + bindPort = 1080; + auth = [ "strong" ]; + } + ] + ''; + description = '' + Use this option to define 3proxy services. + ''; + }; + denyPrivate = mkOption { + type = types.bool; + default = true; + description = '' + Whether to deny access to private IP ranges including loopback. + ''; + }; + privateRanges = mkOption { + type = types.listOf types.str; + default = [ + "0.0.0.0/8" + "127.0.0.0/8" + "10.0.0.0/8" + "100.64.0.0/10" + "172.16.0.0/12" + "192.168.0.0/16" + "::" + "::1" + "fc00::/7" + ]; + example = [ + "0.0.0.0/8" + "127.0.0.0/8" + "10.0.0.0/8" + "100.64.0.0/10" + "172.16.0.0/12" + "192.168.0.0/16" + "::" + "::1" + "fc00::/7" + ]; + description = '' + What IP ranges to deny access when denyPrivate is set tu true. + ''; + }; + resolution = mkOption { + type = types.submodule { + options = { + nserver = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.53" "192.168.1.3:5353/tcp" ]; + description = '' + List of nameservers to use. + + Up to 5 nservers may be specified. If no nserver is configured, + default system name resolution functions are used. + ''; + }; + nscache = mkOption { + type = types.int; + default = 65535; + example = 65535; + description = "Set name cache size for IPv4."; + }; + nscache6 = mkOption { + type = types.int; + default = 65535; + example = 65535; + description = "Set name cache size for IPv6."; + }; + nsrecord = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { + "files.local" = "192.168.1.12"; + "site.local" = "192.168.1.43"; + }; + description = "Adds static nsrecords."; + }; + }; + }; + default = { }; + description = '' + Use this option to configure name resolution and DNS caching. + ''; + }; + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Extra configuration, appended to the 3proxy configuration file. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available options. + ''; + }; + }; + + config = mkIf cfg.enable { + services._3proxy.confFile = mkDefault (pkgs.writeText "3proxy.conf" '' + # log to stdout + log + + ${concatMapStringsSep "\n" (x: "nserver " + x) cfg.resolution.nserver} + + nscache ${toString cfg.resolution.nscache} + nscache6 ${toString cfg.resolution.nscache6} + + ${concatMapStringsSep "\n" (x: "nsrecord " + x) + (mapAttrsToList (name: value: "${name} ${value}") + cfg.resolution.nsrecord)} + + ${optionalString (cfg.usersFile != null) + ''users $"${cfg.usersFile}"'' + } + + ${concatMapStringsSep "\n" (service: '' + auth ${concatStringsSep " " service.auth} + + ${optionalString (cfg.denyPrivate) + "deny * * ${optionalList cfg.privateRanges}"} + + ${concatMapStringsSep "\n" (acl: + "${acl.rule} ${ + concatMapStringsSep " " optionalList [ + acl.users + acl.sources + acl.targets + acl.targetPorts + ] + }") service.acl} + + maxconn ${toString service.maxConnections} + + ${optionalString (service.extraConfig != null) service.extraConfig} + + ${service.type} -i${toString service.bindAddress} ${ + optionalString (service.bindPort != null) + "-p${toString service.bindPort}" + } ${ + optionalString (service.extraArguments != null) service.extraArguments + } + + flush + '') cfg.services} + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} + ''); + systemd.services."3proxy" = { + description = "Tiny free proxy server"; + documentation = [ "https://github.com/z3APA3A/3proxy/wiki" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = "3proxy"; + ExecStart = "${pkg}/bin/3proxy ${cfg.confFile}"; + Restart = "on-failure"; + }; + }; + }; + + meta.maintainers = with maintainers; [ misuzu ]; +} diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index 06af4dbcca4..d09c6735e12 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -78,7 +78,11 @@ in cacheNetworks = mkOption { default = ["127.0.0.0/24"]; description = " - What networks are allowed to use us as a resolver. + What networks are allowed to use us as a resolver. Note + that this is for recursive queries -- all networks are + allowed to query zones configured with the `zones` option. + It is recommended that you limit cacheNetworks to avoid your + server being used for DNS amplification attacks. "; }; diff --git a/nixos/modules/services/networking/bitcoind.nix b/nixos/modules/services/networking/bitcoind.nix index 90f1291c019..4e00a886547 100644 --- a/nixos/modules/services/networking/bitcoind.nix +++ b/nixos/modules/services/networking/bitcoind.nix @@ -177,9 +177,6 @@ in { NoNewPrivileges = "true"; PrivateDevices = "true"; MemoryDenyWriteExecute = "true"; - - # Permission for preStart - PermissionsStartOnly = "true"; }; }; users.users.${cfg.user} = { diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index 31127f79049..8402be939fe 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -4,7 +4,7 @@ with pkgs; with lib; let - cfg = config.networking.connman; + cfg = config.services.connman; configFile = pkgs.writeText "connman.conf" '' [General] NetworkInterfaceBlacklist=${concatStringsSep "," cfg.networkInterfaceBlacklist} @@ -13,11 +13,15 @@ let ''; in { + imports = [ + (mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ]) + ]; + ###### interface options = { - networking.connman = { + services.connman = { enable = mkOption { type = types.bool; @@ -71,13 +75,13 @@ in { assertions = [{ assertion = !config.networking.useDHCP; - message = "You can not use services.networking.connman with services.networking.useDHCP"; + message = "You can not use services.connman with networking.useDHCP"; }{ assertion = config.networking.wireless.enable; - message = "You must use services.networking.connman with services.networking.wireless"; + message = "You must use services.connman with networking.wireless"; }{ assertion = !config.networking.networkmanager.enable; - message = "You can not use services.networking.connman with services.networking.networkmanager"; + message = "You can not use services.connman with networking.networkmanager"; }]; environment.systemPackages = [ connman ]; diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index 04ce5ca3a87..053efe71270 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -30,6 +30,14 @@ with lib; { + imports = [ + (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ] + (config: + let value = getAttrFromPath [ "services" "ddclient" "domain" ] config; + in if value != "" then [ value ] else [])) + (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") + ]; + ###### interface options = { diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index 0b2063bc424..67f7d811887 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -182,6 +182,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ]) + ]; + ###### interface options = { diff --git a/nixos/modules/services/networking/dnschain.nix b/nixos/modules/services/networking/dnschain.nix index 5b58ea9b0c9..2586f2d74e9 100644 --- a/nixos/modules/services/networking/dnschain.nix +++ b/nixos/modules/services/networking/dnschain.nix @@ -137,7 +137,7 @@ in ]; services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveDNSChainQueries { - forwardZones = + forwardZonesRecurse = { bit = "127.0.0.1:${toString cfg.dns.port}"; dns = "127.0.0.1:${toString cfg.dns.port}"; }; @@ -180,4 +180,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index 79f9e1a4308..e53fb7a1578 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -197,4 +197,7 @@ in { }; }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix index 12eee136e63..8249da69bc1 100644 --- a/nixos/modules/services/networking/dnsdist.nix +++ b/nixos/modules/services/networking/dnsdist.nix @@ -46,11 +46,10 @@ in { RestartSec="1"; DynamicUser = true; StartLimitInterval="0"; - PrivateTmp=true; PrivateDevices=true; - CapabilityBoundingSet="CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + AmbientCapabilities="CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet="CAP_NET_BIND_SERVICE"; ExecStart = "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}"; - ProtectSystem="full"; ProtectHome=true; RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6"; LimitNOFILE="16384"; diff --git a/nixos/modules/services/networking/eternal-terminal.nix b/nixos/modules/services/networking/eternal-terminal.nix index be7337ece7e..a2e5b30dc0f 100644 --- a/nixos/modules/services/networking/eternal-terminal.nix +++ b/nixos/modules/services/networking/eternal-terminal.nix @@ -23,6 +23,8 @@ in type = types.int; description = '' The port the server should listen on. Will use the server's default (2022) if not specified. + + Make sure to open this port in the firewall if necessary. ''; }; @@ -86,4 +88,8 @@ in }; }; }; + + meta = { + maintainers = with lib.maintainers; [ pingiun ]; + }; } diff --git a/nixos/modules/services/networking/fakeroute.nix b/nixos/modules/services/networking/fakeroute.nix index 82a9fb729d8..7916ad4098a 100644 --- a/nixos/modules/services/networking/fakeroute.nix +++ b/nixos/modules/services/networking/fakeroute.nix @@ -60,4 +60,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 5919962837a..15aaf741067 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -42,16 +42,7 @@ let kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false); - helpers = - '' - # Helper command to manipulate both the IPv4 and IPv6 tables. - ip46tables() { - iptables -w "$@" - ${optionalString config.networking.enableIPv6 '' - ip6tables -w "$@" - ''} - } - ''; + helpers = import ./helpers.nix { inherit config lib; }; writeShScript = name: text: let dir = pkgs.writeScriptBin name '' #! ${pkgs.runtimeShell} -e @@ -271,7 +262,7 @@ let apply = canonicalizePortList; example = [ 22 80 ]; description = - '' + '' List of TCP ports on which incoming connections are accepted. ''; @@ -282,7 +273,7 @@ let default = [ ]; example = [ { from = 8999; to = 9003; } ]; description = - '' + '' A range of TCP ports on which incoming connections are accepted. ''; diff --git a/nixos/modules/services/networking/haproxy.nix b/nixos/modules/services/networking/haproxy.nix index 0438d0bf8d8..aff71e5e97d 100644 --- a/nixos/modules/services/networking/haproxy.nix +++ b/nixos/modules/services/networking/haproxy.nix @@ -1,7 +1,16 @@ { config, lib, pkgs, ... }: + let cfg = config.services.haproxy; - haproxyCfg = pkgs.writeText "haproxy.conf" cfg.config; + + haproxyCfg = pkgs.writeText "haproxy.conf" '' + global + # needed for hot-reload to work without dropping packets in multi-worker mode + stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level user + + ${cfg.config} + ''; + in with lib; { @@ -25,9 +34,7 @@ with lib; <filename>haproxy.conf</filename>. ''; }; - }; - }; config = mkIf cfg.enable { @@ -42,21 +49,16 @@ with lib; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "forking"; - PIDFile = "/run/haproxy.pid"; - ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -q -f ${haproxyCfg}"; - ExecStart = "${pkgs.haproxy}/sbin/haproxy -D -f ${haproxyCfg} -p /run/haproxy.pid"; - ExecReload = "-${pkgs.bash}/bin/bash -c \"exec ${pkgs.haproxy}/sbin/haproxy -D -f ${haproxyCfg} -p /run/haproxy.pid -sf $MAINPID\""; + DynamicUser = true; + Type = "notify"; + # when running the config test, don't be quiet so we can see what goes wrong + ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}"; + ExecStart = "${pkgs.haproxy}/sbin/haproxy -Ws -f ${haproxyCfg}"; + Restart = "on-failure"; + RuntimeDirectory = "haproxy"; + # needed in case we bind to port < 1024 + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; }; - - environment.systemPackages = [ pkgs.haproxy ]; - - users.users.haproxy = { - group = "haproxy"; - uid = config.ids.uids.haproxy; - }; - - users.groups.haproxy.gid = config.ids.uids.haproxy; }; } diff --git a/nixos/modules/services/networking/helpers.nix b/nixos/modules/services/networking/helpers.nix new file mode 100644 index 00000000000..d7d42de0e3a --- /dev/null +++ b/nixos/modules/services/networking/helpers.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: '' + # Helper command to manipulate both the IPv4 and IPv6 tables. + ip46tables() { + iptables -w "$@" + ${ + lib.optionalString config.networking.enableIPv6 '' + ip6tables -w "$@" + '' + } + } +'' diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix index f2be417738e..e2c2275b551 100644 --- a/nixos/modules/services/networking/i2pd.nix +++ b/nixos/modules/services/networking/i2pd.nix @@ -235,6 +235,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ]) + ]; + ###### interface options = { diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix index 344f84374bb..97b5843bbcf 100644 --- a/nixos/modules/services/networking/iodine.nix +++ b/nixos/modules/services/networking/iodine.nix @@ -11,6 +11,13 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "iodined" "enable" ] [ "services" "iodine" "server" "enable" ]) + (mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ]) + (mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ]) + (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) + (mkRemovedOptionModule [ "services" "iodined" "client" ] "") + ]; ### configuration diff --git a/nixos/modules/services/networking/jormungandr.nix b/nixos/modules/services/networking/jormungandr.nix deleted file mode 100644 index 152cceb4bf9..00000000000 --- a/nixos/modules/services/networking/jormungandr.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - cfg = config.services.jormungandr; - - inherit (lib) mkEnableOption mkIf mkOption; - inherit (lib) optionalString types; - - dataDir = "/var/lib/jormungandr"; - - # Default settings so far, as the service matures we will - # move these out as separate settings - configSettings = { - storage = dataDir; - p2p = { - public_address = "/ip4/127.0.0.1/tcp/8299"; - topics_of_interest = { - messages = "high"; - blocks = "high"; - }; - }; - rest = { - listen = "127.0.0.1:8607"; - }; - }; - - configFile = if cfg.configFile == null then - pkgs.writeText "jormungandr.yaml" (builtins.toJSON configSettings) - else cfg.configFile; - -in { - - options = { - - services.jormungandr = { - enable = mkEnableOption "jormungandr service"; - - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/lib/jormungandr/node.yaml"; - description = '' - The path of the jormungandr blockchain configuration file in YAML format. - If no file is specified, a file is generated using the other options. - ''; - }; - - secretFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/etc/secret/jormungandr.yaml"; - description = '' - The path of the jormungandr blockchain secret node configuration file in - YAML format. Do not store this in nix store! - ''; - }; - - genesisBlockHash = mkOption { - type = types.nullOr types.str; - default = null; - example = "d70495af81ae8600aca3e642b2427327cb6001ec4d7a0037e96a00dabed163f9"; - description = '' - Set the genesis block hash (the hash of the block0) so we can retrieve - the genesis block (and the blockchain configuration) from the existing - storage or from the network. - ''; - }; - - genesisBlockFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/lib/jormungandr/block-0.bin"; - description = '' - The path of the genesis block file if we are hosting it locally. - ''; - }; - - }; - }; - - config = mkIf cfg.enable { - - systemd.services.jormungandr = { - description = "jormungandr server"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - environment = { - RUST_BACKTRACE = "full"; - }; - serviceConfig = { - DynamicUser = true; - StateDirectory = baseNameOf dataDir; - ExecStart = '' - ${pkgs.jormungandr}/bin/jormungandr --config ${configFile} \ - ${optionalString (cfg.secretFile != null) " --secret ${cfg.secretFile}"} \ - ${optionalString (cfg.genesisBlockHash != null) " --genesis-block-hash ${cfg.genesisBlockHash}"} \ - ${optionalString (cfg.genesisBlockFile != null) " --genesis-block ${cfg.genesisBlockFile}"} - ''; - }; - }; - }; -} diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix index 831e4d60d8d..98a3456f639 100644 --- a/nixos/modules/services/networking/monero.nix +++ b/nixos/modules/services/networking/monero.nix @@ -224,15 +224,17 @@ in }; }; - assertions = singleton { - assertion = cfg.mining.enable -> cfg.mining.address != ""; - message = '' + assertions = singleton { + assertion = cfg.mining.enable -> cfg.mining.address != ""; + message = '' You need a Monero address to receive mining rewards: specify one using option monero.mining.address. - ''; - }; + ''; + }; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 082953d2f6a..3054ae1b201 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -46,6 +46,11 @@ let ''; in { + imports = [ + (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ]) + (mkRemovedOptionModule [ "services" "murmur" "pidfile" ] "Hardcoded to /run/murmur/murmurd.pid now") + ]; + options = { services.murmur = { enable = mkOption { diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix index c8ee0a2f564..43a9a0b2598 100644 --- a/nixos/modules/services/networking/namecoind.nix +++ b/nixos/modules/services/networking/namecoind.nix @@ -201,4 +201,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 5681bda51cb..f1238bc6b16 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -7,26 +7,33 @@ with lib; let - cfg = config.networking.nat; dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; + helpers = import ./helpers.nix { inherit config lib; }; + flushNat = '' - iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true - iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true - iptables -w -t nat -X nixos-nat-pre 2>/dev/null || true - iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true - iptables -w -t nat -F nixos-nat-post 2>/dev/null || true - iptables -w -t nat -X nixos-nat-post 2>/dev/null || true + ${helpers} + ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true + ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -D OUTPUT -j nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-out 2>/dev/null || true ${cfg.extraStopCommands} ''; setupNat = '' + ${helpers} # Create subchain where we store rules - iptables -w -t nat -N nixos-nat-pre - iptables -w -t nat -N nixos-nat-post + ip46tables -w -t nat -N nixos-nat-pre + ip46tables -w -t nat -N nixos-nat-post + ip46tables -w -t nat -N nixos-nat-out # We can't match on incoming interface in POSTROUTING, so # mark packets coming from the internal interfaces. @@ -88,8 +95,9 @@ let ${cfg.extraCommands} # Append our chains to the nat tables - iptables -w -t nat -A PREROUTING -j nixos-nat-pre - iptables -w -t nat -A POSTROUTING -j nixos-nat-post + ip46tables -w -t nat -A PREROUTING -j nixos-nat-pre + ip46tables -w -t nat -A POSTROUTING -j nixos-nat-post + ip46tables -w -t nat -A OUTPUT -j nixos-nat-out ''; in diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 918bf891b10..53029b59067 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -336,6 +336,7 @@ in { }; imports = [ + (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' This option was removed because allowing (multiple) regular users to override host entries affecting the whole system opens up a huge attack @@ -456,15 +457,19 @@ in { }; # Turn off NixOS' network management when networking is managed entirely by NetworkManager - networking = (mkIf (!delegateWireless) { - useDHCP = false; - # Use mkDefault to trigger the assertion about the conflict above - wireless.enable = mkDefault false; - }) // (mkIf cfg.enableStrongSwan { - networkmanager.packages = [ pkgs.networkmanager_strongswan ]; - }) // (mkIf enableIwd { - wireless.iwd.enable = true; - }); + networking = mkMerge [ + (mkIf (!delegateWireless) { + useDHCP = false; + }) + + (mkIf cfg.enableStrongSwan { + networkmanager.packages = [ pkgs.networkmanager_strongswan ]; + }) + + (mkIf enableIwd { + wireless.iwd.enable = true; + }) + ]; security.polkit.extraConfig = polkitConf; diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix index 05be97e66a3..dcd7e9e5fa4 100644 --- a/nixos/modules/services/networking/openvpn.nix +++ b/nixos/modules/services/networking/openvpn.nix @@ -73,6 +73,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "") + ]; ###### interface diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index ebfdd9f35b7..6ff181377fc 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -91,10 +91,18 @@ in { forwardZones = mkOption { type = types.attrs; + default = {}; + description = '' + DNS zones to be forwarded to other authoritative servers. + ''; + }; + + forwardZonesRecurse = mkOption { + type = types.attrs; example = { eth = "127.0.0.1:5353"; }; default = {}; description = '' - DNS zones to be forwarded to other servers. + DNS zones to be forwarded to other recursive servers. ''; }; @@ -158,7 +166,8 @@ in { webserver-port = cfg.api.port; webserver-allow-from = cfg.api.allowFrom; - forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + forward-zones-recurse = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZonesRecurse; export-etc-hosts = cfg.exportHosts; dnssec = cfg.dnssecValidation; serve-rfc1918 = cfg.serveRFC1918; @@ -210,4 +219,6 @@ in { "To change extra Recursor settings use services.pdns-recursor.settings instead.") ]; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/privoxy.nix b/nixos/modules/services/networking/privoxy.nix index 49ca839a2c3..1f41c720adf 100644 --- a/nixos/modules/services/networking/privoxy.nix +++ b/nixos/modules/services/networking/privoxy.nix @@ -109,4 +109,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix index 9412d0ef8a6..60fb3d5d6d4 100644 --- a/nixos/modules/services/networking/searx.nix +++ b/nixos/modules/services/networking/searx.nix @@ -75,4 +75,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/networking/spacecookie.nix b/nixos/modules/services/networking/spacecookie.nix new file mode 100644 index 00000000000..c4d06df6ad4 --- /dev/null +++ b/nixos/modules/services/networking/spacecookie.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.spacecookie; + configFile = pkgs.writeText "spacecookie.json" (lib.generators.toJSON {} { + inherit (cfg) hostname port root; + }); +in { + + options = { + + services.spacecookie = { + + enable = mkEnableOption "spacecookie"; + + hostname = mkOption { + type = types.str; + default = "localhost"; + description = "The hostname the service is reachable via. Clients will use this hostname for further requests after loading the initial gopher menu."; + }; + + port = mkOption { + type = types.port; + default = 70; + description = "Port the gopher service should be exposed on."; + }; + + root = mkOption { + type = types.path; + default = "/srv/gopher"; + description = "The root directory spacecookie serves via gopher."; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.sockets.spacecookie = { + description = "Socket for the Spacecookie Gopher Server"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ "[::]:${toString cfg.port}" ]; + socketConfig = { + BindIPv6Only = "both"; + }; + }; + + systemd.services.spacecookie = { + description = "Spacecookie Gopher Server"; + wantedBy = [ "multi-user.target" ]; + requires = [ "spacecookie.socket" ]; + + serviceConfig = { + Type = "notify"; + ExecStart = "${pkgs.haskellPackages.spacecookie}/bin/spacecookie ${configFile}"; + FileDescriptorStoreMax = 1; + + DynamicUser = true; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + + # AF_UNIX for communication with systemd + # AF_INET replaced by BindIPv6Only=both + RestrictAddressFamilies = "AF_UNIX AF_INET6"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 91fc7d72bc6..b0e2e303cbc 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -74,6 +74,10 @@ let in { + imports = [ + (mkAliasOptionModule [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ]) + (mkAliasOptionModule [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]) + ]; ###### interface diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 165fd5970cf..b3f2af5b179 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -18,6 +18,7 @@ let fsWatcherEnabled = folder.watch; fsWatcherDelayS = folder.watchDelay; ignorePerms = folder.ignorePerms; + versioning = folder.versioning; }) (filterAttrs ( _: folder: folder.enable @@ -220,6 +221,69 @@ in { ''; }; + versioning = mkOption { + default = null; + description = '' + How to keep changed/deleted files with syncthing. + There are 4 different types of versioning with different parameters. + See https://docs.syncthing.net/users/versioning.html + ''; + example = [ + { + versioning = { + type = "simple"; + params.keep = "10"; + }; + } + { + versioning = { + type = "trashcan"; + params.cleanoutDays = "1000"; + }; + } + { + versioning = { + type = "staggered"; + params = { + cleanInterval = "3600"; + maxAge = "31536000"; + versionsPath = "/syncthing/backup"; + }; + }; + } + { + versioning = { + type = "external"; + params.versionsPath = pkgs.writers.writeBash "backup" '' + folderpath="$1" + filepath="$2" + rm -rf "$folderpath/$filepath" + ''; + }; + } + ]; + type = with types; nullOr (submodule { + options = { + type = mkOption { + type = enum [ "external" "simple" "staggered" "trashcan" ]; + description = '' + Type of versioning. + See https://docs.syncthing.net/users/versioning.html + ''; + }; + params = mkOption { + type = attrsOf (either str path); + description = '' + Parameters for versioning. Structure depends on versioning.type. + See https://docs.syncthing.net/users/versioning.html + ''; + }; + }; + }); + }; + + + rescanInterval = mkOption { type = types.int; default = 3600; diff --git a/nixos/modules/services/networking/tinydns.nix b/nixos/modules/services/networking/tinydns.nix index 7b2c464ab46..79507b2ebcd 100644 --- a/nixos/modules/services/networking/tinydns.nix +++ b/nixos/modules/services/networking/tinydns.nix @@ -37,6 +37,7 @@ with lib; systemd.services.tinydns = { description = "djbdns tinydns server"; wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; path = with pkgs; [ daemontools djbdns ]; preStart = '' rm -rf /var/lib/tinydns diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 3cf82e8839b..baed83591e1 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -53,6 +53,13 @@ in enable = mkEnableOption "Unbound domain name server"; + package = mkOption { + type = types.package; + default = pkgs.unbound; + defaultText = "pkgs.unbound"; + description = "The unbound package to use"; + }; + allowedAccess = mkOption { default = [ "127.0.0.0/24" ]; type = types.listOf types.str; @@ -94,7 +101,7 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.unbound ]; + environment.systemPackages = [ cfg.package ]; users.users.unbound = { description = "unbound daemon user"; @@ -114,7 +121,7 @@ in mkdir -m 0755 -p ${stateDir}/dev/ cp ${confFile} ${stateDir}/unbound.conf ${optionalString cfg.enableRootTrustAnchor '' - ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" chown unbound ${stateDir} ${rootTrustAnchorFile} ''} touch ${stateDir}/dev/random @@ -122,7 +129,7 @@ in ''; serviceConfig = { - ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf"; + ExecStart = "${cfg.package}/bin/unbound -d -c ${stateDir}/unbound.conf"; ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random"; ProtectSystem = true; diff --git a/nixos/modules/services/networking/v2ray.nix b/nixos/modules/services/networking/v2ray.nix new file mode 100644 index 00000000000..a1774cdffbb --- /dev/null +++ b/nixos/modules/services/networking/v2ray.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + + services.v2ray = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run v2ray server. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/etc/v2ray/config.json"; + description = '' + The absolute path to the configuration file. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + + See <link xlink:href="https://v2ray.com/en/configuration/overview.html"/>. + ''; + }; + + config = mkOption { + type = types.nullOr (types.attrsOf types.unspecified); + default = null; + example = { + inbounds = [{ + port = 1080; + listen = "127.0.0.1"; + protocol = "http"; + }]; + outbounds = [{ + protocol = "freedom"; + }]; + }; + description = '' + The configuration object. + + Either `configFile` or `config` must be specified. + + See <link xlink:href="https://v2ray.com/en/configuration/overview.html"/>. + ''; + }; + }; + + }; + + config = let + cfg = config.services.v2ray; + configFile = if cfg.configFile != null + then cfg.configFile + else (pkgs.writeText "v2ray.json" (builtins.toJSON cfg.config)); + + in mkIf cfg.enable { + assertions = [ + { + assertion = (cfg.configFile == null) != (cfg.config == null); + message = "Either but not both `configFile` and `config` should be specified for v2ray."; + } + ]; + + systemd.services.v2ray = { + description = "v2ray Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.v2ray ]; + script = '' + exec v2ray -config ${configFile} + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/vsftpd.nix b/nixos/modules/services/networking/vsftpd.nix index 67be60da567..90093d9a78d 100644 --- a/nixos/modules/services/networking/vsftpd.nix +++ b/nixos/modules/services/networking/vsftpd.nix @@ -34,6 +34,15 @@ let }; optionDescription = [ + (yesNoOption "allowWriteableChroot" "allow_writeable_chroot" false '' + Allow the use of writeable root inside chroot(). + '') + (yesNoOption "virtualUseLocalPrivs" "virtual_use_local_privs" false '' + If enabled, virtual users will use the same privileges as local + users. By default, virtual users will use the same privileges as + anonymous users, which tends to be more restrictive (especially + in terms of write access). + '') (yesNoOption "anonymousUser" "anonymous_enable" false '' Whether to enable the anonymous FTP user. '') @@ -76,9 +85,21 @@ let outgoing data connections can only connect to the client. Only enable if you know what you are doing! '') - (yesNoOption "ssl_tlsv1" "ssl_tlsv1" true '' '') - (yesNoOption "ssl_sslv2" "ssl_sslv2" false '' '') - (yesNoOption "ssl_sslv3" "ssl_sslv3" false '' '') + (yesNoOption "ssl_tlsv1" "ssl_tlsv1" true '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit TLS v1 protocol connections. + TLS v1 connections are preferred. + '') + (yesNoOption "ssl_sslv2" "ssl_sslv2" false '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit SSL v2 protocol connections. + TLS v1 connections are preferred. + '') + (yesNoOption "ssl_sslv3" "ssl_sslv3" false '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit SSL v3 protocol connections. + TLS v1 connections are preferred. + '') ]; configFile = pkgs.writeText "vsftpd.conf" @@ -98,6 +119,9 @@ let listen=YES nopriv_user=vsftpd secure_chroot_dir=/var/empty + ${optionalString (cfg.localRoot != null) '' + local_root=${cfg.localRoot} + ''} syslog_enable=YES ${optionalString (pkgs.stdenv.hostPlatform.system == "x86_64-linux") '' seccomp_sandbox=NO @@ -106,6 +130,11 @@ let ${optionalString cfg.anonymousUser '' anon_root=${cfg.anonymousUserHome} ''} + ${optionalString cfg.enableVirtualUsers '' + guest_enable=YES + guest_username=vsftpd + pam_service_name=vsftpd + ''} ${cfg.extraConfig} ''; @@ -119,10 +148,7 @@ in services.vsftpd = { - enable = mkOption { - default = false; - description = "Whether to enable the vsftpd FTP server."; - }; + enable = mkEnableOption "vsftpd"; userlist = mkOption { default = []; @@ -143,6 +169,61 @@ in ''; }; + enableVirtualUsers = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the <literal>pam_userdb</literal>-based + virtual user system + ''; + }; + + userDbPath = mkOption { + type = types.nullOr types.str; + example = "/etc/vsftpd/userDb"; + default = null; + description = '' + Only applies if <option>enableVirtualUsers</option> is true. + Path pointing to the <literal>pam_userdb</literal> user + database used by vsftpd to authenticate the virtual users. + + This user list should be stored in the Berkeley DB database + format. + + To generate a new user database, create a text file, add + your users using the following format: + <programlisting> + user1 + password1 + user2 + password2 + </programlisting> + + You can then install <literal>pkgs.db</literal> to generate + the Berkeley DB using + <programlisting> + db_load -T -t hash -f logins.txt userDb.db + </programlisting> + + Caution: <literal>pam_userdb</literal> will automatically + append a <literal>.db</literal> suffix to the filename you + provide though this option. This option shouldn't include + this filetype suffix. + ''; + }; + + localRoot = mkOption { + type = types.nullOr types.str; + default = null; + example = "/var/www/$USER"; + description = '' + This option represents a directory which vsftpd will try to + change into after a local (i.e. non- anonymous) login. + + Failure is silently ignored. + ''; + }; + anonymousUserHome = mkOption { type = types.path; default = "/home/ftp/"; @@ -186,18 +267,25 @@ in config = mkIf cfg.enable { - assertions = singleton + assertions = [ { assertion = (cfg.forceLocalLoginsSSL -> cfg.rsaCertFile != null) && (cfg.forceLocalDataSSL -> cfg.rsaCertFile != null); message = "vsftpd: If forceLocalLoginsSSL or forceLocalDataSSL is true then a rsaCertFile must be provided!"; - }; + } + { + assertion = (cfg.enableVirtualUsers -> cfg.userDbPath != null) + && (cfg.enableVirtualUsers -> cfg.localUsers != null); + message = "vsftpd: If enableVirtualUsers is true, you need to setup both the userDbPath and localUsers options."; + }]; users.users = [ { name = "vsftpd"; uid = config.ids.uids.vsftpd; description = "VSFTPD user"; - home = "/homeless-shelter"; + home = if cfg.localRoot != null + then cfg.localRoot # <= Necessary for virtual users. + else "/homeless-shelter"; } ] ++ optional cfg.anonymousUser { name = "ftp"; @@ -213,23 +301,24 @@ in # = false and whitelist root services.vsftpd.userlist = if cfg.userlistDeny then ["root"] else []; - systemd.services.vsftpd = - { description = "Vsftpd Server"; + systemd = { + tmpfiles.rules = optional cfg.anonymousUser + #Type Path Mode User Gr Age Arg + "d '${builtins.toString cfg.anonymousUserHome}' 0555 'ftp' 'ftp' - -"; + services.vsftpd = { + description = "Vsftpd Server"; wantedBy = [ "multi-user.target" ]; - preStart = - optionalString cfg.anonymousUser - '' - mkdir -p -m 555 ${cfg.anonymousUserHome} - chown -R ftp:ftp ${cfg.anonymousUserHome} - ''; - serviceConfig.ExecStart = "@${vsftpd}/sbin/vsftpd vsftpd ${configFile}"; serviceConfig.Restart = "always"; serviceConfig.Type = "forking"; }; + }; + security.pam.services.vsftpd.text = mkIf (cfg.enableVirtualUsers && cfg.userDbPath != null)'' + auth required pam_userdb.so db=${cfg.userDbPath} + account required pam_userdb.so db=${cfg.userDbPath} + ''; }; - } diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 4176da2c8cb..980961225c9 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -112,6 +112,32 @@ let Determines whether to add allowed IPs as routes or not. ''; }; + + socketNamespace = mkOption { + default = null; + type = with types; nullOr str; + example = "container"; + description = ''The pre-existing network namespace in which the + WireGuard interface is created, and which retains the socket even if the + interface is moved via <option>interfaceNamespace</option>. When + <literal>null</literal>, the interface is created in the init namespace. + See <link + xlink:href="https://www.wireguard.com/netns/">documentation</link>. + ''; + }; + + interfaceNamespace = mkOption { + default = null; + type = with types; nullOr str; + example = "init"; + description = ''The pre-existing network namespace the WireGuard + interface is moved to. The special value <literal>init</literal> means + the init namespace. When <literal>null</literal>, the interface is not + moved. + See <link + xlink:href="https://www.wireguard.com/netns/">documentation</link>. + ''; + }; }; }; @@ -239,6 +265,10 @@ let if peer.presharedKey != null then pkgs.writeText "wg-psk" peer.presharedKey else peer.presharedKeyFile; + src = interfaceCfg.socketNamespace; + dst = interfaceCfg.interfaceNamespace; + ip = nsWrap "ip" src dst; + wg = nsWrap "wg" src dst; in nameValuePair "wireguard-${interfaceName}-peer-${unitName}" { description = "WireGuard Peer - ${interfaceName} - ${peer.publicKey}"; @@ -255,16 +285,16 @@ let }; script = let - wg_setup = "wg set ${interfaceName} peer ${peer.publicKey}" + + wg_setup = "${wg} set ${interfaceName} peer ${peer.publicKey}" + optionalString (psk != null) " preshared-key ${psk}" + optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" + optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" + optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}"; route_setup = - optionalString (interfaceCfg.allowedIPsAsRoutes != false) + optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "ip route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + "${ip} route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" ) peer.allowedIPs); in '' ${wg_setup} @@ -272,13 +302,13 @@ let ''; postStop = let - route_destroy = optionalString (interfaceCfg.allowedIPsAsRoutes != false) + route_destroy = optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "ip route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + "${ip} route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" ) peer.allowedIPs); in '' - wg set ${interfaceName} peer ${peer.publicKey} remove + ${wg} set ${interfaceName} peer ${peer.publicKey} remove ${route_destroy} ''; }; @@ -287,6 +317,13 @@ let # exactly one way to specify the private key must be set #assert (values.privateKey != null) != (values.privateKeyFile != null); let privKey = if values.privateKeyFile != null then values.privateKeyFile else pkgs.writeText "wg-key" values.privateKey; + src = values.socketNamespace; + dst = values.interfaceNamespace; + ipPreMove = nsWrap "ip" src null; + ipPostMove = nsWrap "ip" src dst; + wg = nsWrap "wg" src dst; + ns = if dst == "init" then "1" else dst; + in nameValuePair "wireguard-${name}" { @@ -307,26 +344,33 @@ let ${values.preSetup} - ip link add dev ${name} type wireguard + ${ipPreMove} link add dev ${name} type wireguard + ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) "${ipPreMove} link set ${name} netns ${ns}"} ${concatMapStringsSep "\n" (ip: - "ip address add ${ip} dev ${name}" + "${ipPostMove} address add ${ip} dev ${name}" ) values.ips} - wg set ${name} private-key ${privKey} ${ + ${wg} set ${name} private-key ${privKey} ${ optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}"} - ip link set up dev ${name} + ${ipPostMove} link set up dev ${name} ${values.postSetup} ''; postStop = '' - ip link del dev ${name} + ${ipPostMove} link del dev ${name} ${values.postShutdown} ''; }; + nsWrap = cmd: src: dst: + let + nsList = filter (ns: ns != null) [ src dst ]; + ns = last nsList; + in + if (length nsList > 0 && ns != "init") then "ip netns exec ${ns} ${cmd}" else cmd; in { diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 294c0d70ede..8f05c3949fb 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -236,9 +236,12 @@ in { ${if ifaces == [] then '' for i in $(cd /sys/class/net && echo *); do DEVTYPE= - source /sys/class/net/$i/uevent - if [ "$DEVTYPE" = "wlan" -o -e /sys/class/net/$i/wireless ]; then - ifaces="$ifaces''${ifaces:+ -N} -i$i" + UEVENT_PATH=/sys/class/net/$i/uevent + if [ -e "$UEVENT_PATH" ]; then + source "$UEVENT_PATH" + if [ "$DEVTYPE" = "wlan" -o -e /sys/class/net/$i/wireless ]; then + ifaces="$ifaces''${ifaces:+ -N} -i$i" + fi fi done '' else '' diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index 0da50ccc344..9e675ecd6f4 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -12,11 +12,11 @@ let configFileProvided = (cfg.configFile != null); generateConfig = ( if configProvided && configFileProvided then - "${pkgs.jq}/bin/jq -s add /run/yggdrasil/configFile.json ${configAsFile}" + "${pkgs.jq}/bin/jq -s add ${configAsFile} ${cfg.configFile}" else if configProvided then "cat ${configAsFile}" else if configFileProvided then - "cat /run/yggdrasil/configFile.json" + "cat ${cfg.configFile}" else "${cfg.package}/bin/yggdrasil -genconf" ); @@ -128,12 +128,6 @@ in { } ]; - environment.etc."yggdrasil.conf" = { - enable = true; - mode = "symlink"; - source = "/run/yggdrasil/yggdrasil.conf"; - }; - systemd.services.yggdrasil = { description = "Yggdrasil Network Service"; path = [ cfg.package ] ++ optional (configProvided && configFileProvided) pkgs.jq; @@ -146,14 +140,14 @@ in { ''; serviceConfig = { - ExecStart = "${cfg.package}/bin/yggdrasil -useconffile /etc/yggdrasil.conf"; + ExecStart = "${cfg.package}/bin/yggdrasil -useconffile /run/yggdrasil/yggdrasil.conf"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "always"; RuntimeDirectory = "yggdrasil"; RuntimeDirectoryMode = "0700"; BindReadOnlyPaths = mkIf configFileProvided - [ "${cfg.configFile}:/run/yggdrasil/configFile.json" ]; + [ "${cfg.configFile}" ]; # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails # to set up the network adapter when DynamicUser is set. See diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index 05f97bfa539..0a9848a4934 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -239,7 +239,7 @@ in services.znc = { configFile = mkDefault (pkgs.writeText "znc-generated.conf" semanticString); config = { - Version = (builtins.parseDrvName pkgs.znc.name).version; + Version = lib.getVersion pkgs.znc; Listener.l.Port = mkDefault 5000; Listener.l.SSL = mkDefault true; }; diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 1071c05d514..cc35be49bc3 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -112,6 +112,15 @@ in { + imports = [ + (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ] + (config: + let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; + in if enabled then [ pkgs.gutenprint ] else [ ])) + (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "") + (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "") + ]; + ###### interface options = { diff --git a/nixos/modules/services/security/clamav.nix b/nixos/modules/services/security/clamav.nix index 04b433f8f2b..ef5bde7907e 100644 --- a/nixos/modules/services/security/clamav.nix +++ b/nixos/modules/services/security/clamav.nix @@ -30,6 +30,10 @@ let ''; in { + imports = [ + (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ]) + ]; + options = { services.clamav = { daemon = { diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index ed862387cce..18c105b2f57 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -106,6 +106,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) + (mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.") + (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.") + ]; + options = { services.tor = { enable = mkOption { diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index d5962ba9af9..b0ab8fadcbe 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -119,9 +119,8 @@ in }; users.groups.vault.gid = config.ids.gids.vault; - systemd.tmpfiles.rules = optional (cfg.storagePath != null) [ - "d '${cfg.storagePath}' 0700 vault vault - -" - ]; + systemd.tmpfiles.rules = optional (cfg.storagePath != null) + "d '${cfg.storagePath}' 0700 vault vault - -"; systemd.services.vault = { description = "Vault server daemon"; diff --git a/nixos/modules/services/torrent/magnetico.nix b/nixos/modules/services/torrent/magnetico.nix index a7acdb78b31..7465c10e002 100644 --- a/nixos/modules/services/torrent/magnetico.nix +++ b/nixos/modules/services/torrent/magnetico.nix @@ -35,6 +35,7 @@ let (if (cfg.web.credentialsFile != null || cfg.web.credentials != { }) then "--credentials=${toString credFile}" else "--no-auth") + "--addr=${address}:${toString port}" ] ++ extraOptions); in { @@ -177,7 +178,7 @@ in { systemd.services.magneticod = { description = "Magnetico DHT crawler"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; + after = [ "network.target" ]; serviceConfig = { User = "magnetico"; @@ -189,7 +190,7 @@ in { systemd.services.magneticow = { description = "Magnetico web interface"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" "magneticod.service"]; + after = [ "network.target" "magneticod.service"]; serviceConfig = { User = "magnetico"; @@ -202,7 +203,7 @@ in { assertions = [ { - assertion = cfg.web.credentialsFile != null || cfg.web.credentials != { }; + assertion = cfg.web.credentialsFile == null || cfg.web.credentials == { }; message = '' The options services.magnetico.web.credentialsFile and services.magnetico.web.credentials are mutually exclusives. @@ -212,4 +213,6 @@ in { }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 7409eb8cdcb..f7a88867b61 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -7,6 +7,7 @@ let apparmor = config.security.apparmor.enable; homeDir = cfg.home; + downloadDirPermissions = cfg.downloadDirPermissions; downloadDir = "${homeDir}/Downloads"; incompleteDir = "${homeDir}/.incomplete"; @@ -16,16 +17,14 @@ let # for users in group "transmission" to have access to torrents fullSettings = { umask = 2; download-dir = downloadDir; incomplete-dir = incompleteDir; } // cfg.settings; - # Directories transmission expects to exist and be ug+rwx. - directoriesToManage = [ homeDir settingsDir fullSettings.download-dir fullSettings.incomplete-dir ]; - preStart = pkgs.writeScript "transmission-pre-start" '' #!${pkgs.runtimeShell} set -ex - for DIR in ${escapeShellArgs directoriesToManage}; do + for DIR in "${homeDir}" "${settingsDir}" "${fullSettings.download-dir}" "${fullSettings.incomplete-dir}"; do mkdir -p "$DIR" - chmod 770 "$DIR" done + chmod 700 "${homeDir}" "${settingsDir}" + chmod ${downloadDirPermissions} "${fullSettings.download-dir}" "${fullSettings.incomplete-dir}" cp -f ${settingsFile} ${settingsDir}/settings.json ''; in @@ -71,6 +70,16 @@ in ''; }; + downloadDirPermissions = mkOption { + type = types.str; + default = "770"; + example = "775"; + description = '' + The permissions to set for download-dir and incomplete-dir. + They will be applied on every service start. + ''; + }; + port = mkOption { type = types.int; default = 9091; diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index bd524524130..e00a47191c6 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -3,7 +3,7 @@ let inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption; - inherit (lib) mapAttrs optional optionalString types; + inherit (lib) literalExample mapAttrs optional optionalString types; cfg = config.services.limesurvey; fpm = config.services.phpfpm.pools.limesurvey; @@ -100,19 +100,15 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); - example = { - hostName = "survey.example.org"; - enableSSL = true; - adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/survey.example.org/full.pem"; - sslServerKey = "/var/lib/acme/survey.example.org/key.pem"; - }; + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { + hostName = "survey.example.org"; + adminAddr = "webmaster@example.org"; + forceSSL = true; + enableACME = true; + } + ''; description = '' Apache configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>. See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. @@ -184,7 +180,7 @@ in config = { tempdir = "${stateDir}/tmp"; uploaddir = "${stateDir}/upload"; - force_ssl = mkIf cfg.virtualHost.enableSSL "on"; + force_ssl = mkIf (cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL) "on"; config.defaultlang = "en"; }; }; @@ -215,38 +211,36 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${pkg}/share/limesurvey"; - extraConfig = '' - Alias "/tmp" "${stateDir}/tmp" - <Directory "${stateDir}"> - AllowOverride all - Require all granted - Options -Indexes +FollowSymlinks - </Directory> - - Alias "/upload" "${stateDir}/upload" - <Directory "${stateDir}/upload"> - AllowOverride all - Require all granted - Options -Indexes - </Directory> - - <Directory "${pkg}/share/limesurvey"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - - AllowOverride all - Options -Indexes - DirectoryIndex index.php - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${pkg}/share/limesurvey"; + extraConfig = '' + Alias "/tmp" "${stateDir}/tmp" + <Directory "${stateDir}"> + AllowOverride all + Require all granted + Options -Indexes +FollowSymlinks + </Directory> + + Alias "/upload" "${stateDir}/upload" + <Directory "${stateDir}/upload"> + AllowOverride all + Require all granted + Options -Indexes + </Directory> + + <Directory "${pkg}/share/limesurvey"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + + AllowOverride all + Options -Indexes + DirectoryIndex index.php + </Directory> + ''; + } ]; }; systemd.tmpfiles.rules = [ diff --git a/nixos/modules/services/web-apps/matomo-doc.xml b/nixos/modules/services/web-apps/matomo-doc.xml index 79cece551d3..69d1170e452 100644 --- a/nixos/modules/services/web-apps/matomo-doc.xml +++ b/nixos/modules/services/web-apps/matomo-doc.xml @@ -86,12 +86,6 @@ GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; <itemizedlist> <listitem> <para> - Matomo's file integrity check will warn you. This is due to the patches - necessary for NixOS, you can safely ignore this. - </para> - </listitem> - <listitem> - <para> Matomo will warn you that the JavaScript tracker is not writable. This is because it's located in the read-only nix store. You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index 352cc4c647b..75da474dc44 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -18,6 +18,14 @@ let in join config.networking.hostName config.networking.domain; in { + imports = [ + (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) + (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) + (mkRemovedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") + (mkRemovedOptionModule [ "services" "matomo" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") + (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) + ]; + options = { services.matomo = { # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 diff --git a/nixos/modules/services/web-apps/mediawiki.nix b/nixos/modules/services/web-apps/mediawiki.nix index 43edc04e1a4..8a109b39bb5 100644 --- a/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixos/modules/services/web-apps/mediawiki.nix @@ -64,7 +64,7 @@ let $wgScriptPath = ""; ## The protocol and server name to use in fully-qualified URLs - $wgServer = "${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}"; + $wgServer = "${if cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL then "https" else "http"}://${cfg.virtualHost.hostName}"; ## The URL path to static resources (images, scripts, etc.) $wgResourceBasePath = $wgScriptPath; @@ -290,19 +290,13 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); example = literalExample '' { hostName = "mediawiki.example.org"; - enableSSL = true; adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/mediawiki.example.org/full.pem"; - sslServerKey = "/var/lib/acme/mediawiki.example.org/key.pem"; + forceSSL = true; + enableACME = true; } ''; description = '' @@ -389,31 +383,28 @@ in services.httpd = { enable = true; - adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${pkg}/share/mediawiki"; - extraConfig = '' - <Directory "${pkg}/share/mediawiki"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - - Require all granted - DirectoryIndex index.php - AllowOverride All - </Directory> - '' + optionalString (cfg.uploadsDir != null) '' - Alias "/images" "${cfg.uploadsDir}" - <Directory "${cfg.uploadsDir}"> - Require all granted - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${pkg}/share/mediawiki"; + extraConfig = '' + <Directory "${pkg}/share/mediawiki"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + + Require all granted + DirectoryIndex index.php + AllowOverride All + </Directory> + '' + optionalString (cfg.uploadsDir != null) '' + Alias "/images" "${cfg.uploadsDir}" + <Directory "${cfg.uploadsDir}"> + Require all granted + </Directory> + ''; + } ]; }; systemd.tmpfiles.rules = [ diff --git a/nixos/modules/services/web-apps/moodle.nix b/nixos/modules/services/web-apps/moodle.nix index ac59f9e0012..595d070d940 100644 --- a/nixos/modules/services/web-apps/moodle.nix +++ b/nixos/modules/services/web-apps/moodle.nix @@ -32,7 +32,7 @@ let 'dbcollation' => 'utf8mb4_unicode_ci', ); - $CFG->wwwroot = '${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}'; + $CFG->wwwroot = '${if cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL then "https" else "http"}://${cfg.virtualHost.hostName}'; $CFG->dataroot = '${stateDir}'; $CFG->admin = 'admin'; @@ -140,19 +140,15 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); - example = { - hostName = "moodle.example.org"; - enableSSL = true; - adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/moodle.example.org/full.pem"; - sslServerKey = "/var/lib/acme/moodle.example.org/key.pem"; - }; + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { + hostName = "moodle.example.org"; + adminAddr = "webmaster@example.org"; + forceSSL = true; + enableACME = true; + } + ''; description = '' Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>. See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. @@ -241,22 +237,20 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${cfg.package}/share/moodle"; - extraConfig = '' - <Directory "${cfg.package}/share/moodle"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - Options -Indexes - DirectoryIndex index.php - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${cfg.package}/share/moodle"; + extraConfig = '' + <Directory "${cfg.package}/share/moodle"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + Options -Indexes + DirectoryIndex index.php + </Directory> + ''; + } ]; }; systemd.tmpfiles.rules = [ diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index b9186a1dc07..e3a2db398e6 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -31,8 +31,12 @@ let occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.stdenv.shell} cd ${pkgs.nextcloud} - exec /run/wrappers/bin/sudo -u nextcloud \ - NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" \ + sudo=exec + if [[ "$USER" != nextcloud ]]; then + sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR' + fi + export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" + $sudo \ ${phpPackage}/bin/php \ -c ${pkgs.writeText "php.ini" phpOptionsStr}\ occ $* @@ -390,6 +394,7 @@ in { in { wantedBy = [ "multi-user.target" ]; before = [ "phpfpm-nextcloud.service" ]; + path = [ occ ]; script = '' chmod og+x ${cfg.home} ln -sf ${pkgs.nextcloud}/apps ${cfg.home}/ @@ -419,6 +424,7 @@ in { nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { serviceConfig.Type = "oneshot"; serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all"; + serviceConfig.User = "nextcloud"; startAt = cfg.autoUpdateApps.startAt; }; }; diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index 2c2f36ac598..9d0a3f65253 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -116,7 +116,7 @@ in }; passwordFile = mkOption { - type = types.nullOr types.str; + type = types.nullOr types.path; default = null; description = '' The database user's password. 'null' if no password is set. @@ -285,7 +285,7 @@ in sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', 'restya');/g" "${runDir}/server/php/config.inc.php" '' else '' sed -i "s/^.*'R_DB_HOST'.*$/define('R_DB_HOST', '${cfg.database.host}');/g" "${runDir}/server/php/config.inc.php" - sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', '$(<${cfg.database.dbPassFile})');/g" "${runDir}/server/php/config.inc.php" + sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', ${if cfg.database.passwordFile == null then "''" else "'file_get_contents(${cfg.database.passwordFile})'"});/g" "${runDir}/server/php/config.inc.php ''} sed -i "s/^.*'R_DB_PORT'.*$/define('R_DB_PORT', '${toString cfg.database.port}');/g" "${runDir}/server/php/config.inc.php" sed -i "s/^.*'R_DB_NAME'.*$/define('R_DB_NAME', '${cfg.database.name}');/g" "${runDir}/server/php/config.inc.php" diff --git a/nixos/modules/services/web-apps/trilium.nix b/nixos/modules/services/web-apps/trilium.nix new file mode 100644 index 00000000000..6f47193c62b --- /dev/null +++ b/nixos/modules/services/web-apps/trilium.nix @@ -0,0 +1,137 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.trilium-server; + configIni = pkgs.writeText "trilium-config.ini" '' + [General] + # Instance name can be used to distinguish between different instances + instanceName=${cfg.instanceName} + + # Disable automatically generating desktop icon + noDesktopIcon=true + + [Network] + # host setting is relevant only for web deployments - set the host on which the server will listen + host=${cfg.host} + # port setting is relevant only for web deployments, desktop builds run on random free port + port=${toString cfg.port} + # true for TLS/SSL/HTTPS (secure), false for HTTP (unsecure). + https=false + ''; +in +{ + + options.services.trilium-server = with lib; { + enable = mkEnableOption "trilium-server"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/trilium"; + description = '' + The directory storing the nodes database and the configuration. + ''; + }; + + instanceName = mkOption { + type = types.str; + default = "Trilium"; + description = '' + Instance name used to distinguish between different instances + ''; + }; + + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + The host address to bind to (defaults to localhost). + ''; + }; + + port = mkOption { + type = types.int; + default = 8080; + description = '' + The port number to bind to. + ''; + }; + + nginx = mkOption { + default = {}; + description = '' + Configuration for nginx reverse proxy. + ''; + + type = types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Configure the nginx reverse proxy settings. + ''; + }; + + hostName = mkOption { + type = types.str; + description = '' + The hostname use to setup the virtualhost configuration + ''; + }; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + meta.maintainers = with lib.maintainers; [ kampka ]; + + users.groups.trilium = {}; + users.users.trilium = { + description = "Trilium User"; + group = "trilium"; + home = cfg.dataDir; + isSystemUser = true; + }; + + systemd.services.trilium-server = { + wantedBy = [ "multi-user.target" ]; + environment.TRILIUM_DATA_DIR = cfg.dataDir; + serviceConfig = { + ExecStart = "${pkgs.trilium-server}/bin/trilium-server"; + User = "trilium"; + Group = "trilium"; + PrivateTmp = "true"; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.dataDir} 0750 trilium trilium - -" + "L+ ${cfg.dataDir}/config.ini - - - - ${configIni}" + ]; + + } + + (lib.mkIf cfg.nginx.enable { + services.nginx = { + enable = true; + virtualHosts."${cfg.nginx.hostName}" = { + locations."/" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}/"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + ''; + }; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }) + ]); +} diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index f1370c2854b..ad4f39fbf52 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -3,7 +3,7 @@ let inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption types; inherit (lib) any attrValues concatMapStringsSep flatten literalExample; - inherit (lib) mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString; + inherit (lib) mapAttrs mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString; eachSite = config.services.wordpress; user = "wordpress"; @@ -127,7 +127,7 @@ let <note><para>These themes need to be packaged before use, see example.</para></note> ''; example = '' - # For shits and giggles, let's package the responsive theme + # Let's package the responsive theme responsiveTheme = pkgs.stdenv.mkDerivation { name = "responsive-theme"; # Download the theme from the wordpress site @@ -209,18 +209,12 @@ let }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); example = literalExample '' { - enableSSL = true; adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/wordpress.example.org/full.pem"; - sslServerKey = "/var/lib/acme/wordpress.example.org/key.pem"; + forceSSL = true; + enableACME = true; } ''; description = '' @@ -304,41 +298,37 @@ in services.httpd = { enable = true; extraModules = [ "proxy_fcgi" ]; - virtualHosts = mapAttrsToList (hostName: cfg: - (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${pkg hostName cfg}/share/wordpress"; - extraConfig = '' - <Directory "${pkg hostName cfg}/share/wordpress"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${config.services.phpfpm.pools."wordpress-${hostName}".socket}|fcgi://localhost/" - </If> - </FilesMatch> - - # standard wordpress .htaccess contents - <IfModule mod_rewrite.c> - RewriteEngine On - RewriteBase / - RewriteRule ^index\.php$ - [L] - RewriteCond %{REQUEST_FILENAME} !-f - RewriteCond %{REQUEST_FILENAME} !-d - RewriteRule . /index.php [L] - </IfModule> - - DirectoryIndex index.php - Require all granted - Options +FollowSymLinks - </Directory> - - # https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php - <Files wp-config.php> - Require all denied - </Files> - ''; - } - ]) - ) eachSite; + virtualHosts = mapAttrs (hostName: cfg: mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${pkg hostName cfg}/share/wordpress"; + extraConfig = '' + <Directory "${pkg hostName cfg}/share/wordpress"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${config.services.phpfpm.pools."wordpress-${hostName}".socket}|fcgi://localhost/" + </If> + </FilesMatch> + + # standard wordpress .htaccess contents + <IfModule mod_rewrite.c> + RewriteEngine On + RewriteBase / + RewriteRule ^index\.php$ - [L] + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule . /index.php [L] + </IfModule> + + DirectoryIndex index.php + Require all granted + Options +FollowSymLinks + </Directory> + + # https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php + <Files wp-config.php> + Require all denied + </Files> + ''; + } ]) eachSite; }; systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ diff --git a/nixos/modules/services/web-apps/zabbix.nix b/nixos/modules/services/web-apps/zabbix.nix index 09538726b7c..ee8447810c6 100644 --- a/nixos/modules/services/web-apps/zabbix.nix +++ b/nixos/modules/services/web-apps/zabbix.nix @@ -113,19 +113,15 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); - example = { - hostName = "zabbix.example.org"; - enableSSL = true; - adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/zabbix.example.org/full.pem"; - sslServerKey = "/var/lib/acme/zabbix.example.org/key.pem"; - }; + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { + hostName = "zabbix.example.org"; + adminAddr = "webmaster@example.org"; + forceSSL = true; + enableACME = true; + } + ''; description = '' Apache configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>. See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. @@ -190,23 +186,21 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${cfg.package}/share/zabbix"; - extraConfig = '' - <Directory "${cfg.package}/share/zabbix"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - AllowOverride all - Options -Indexes - DirectoryIndex index.php - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${cfg.package}/share/zabbix"; + extraConfig = '' + <Directory "${cfg.package}/share/zabbix"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + AllowOverride all + Options -Indexes + DirectoryIndex index.php + </Directory> + ''; + } ]; }; users.users.${user} = mapAttrs (name: mkDefault) { diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 99304d0e48a..8e3be316298 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -6,6 +6,8 @@ let mainCfg = config.services.httpd; + runtimeDir = "/run/httpd"; + httpd = mainCfg.package.out; httpdConf = mainCfg.configFile; @@ -16,52 +18,38 @@ let mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = httpd; }; - defaultListen = cfg: if cfg.enableSSL - then [{ip = "*"; port = 443;}] - else [{ip = "*"; port = 80;}]; - - getListen = cfg: - if cfg.listen == [] - then defaultListen cfg - else cfg.listen; - - listenToString = l: "${l.ip}:${toString l.port}"; - - extraModules = attrByPath ["extraModules"] [] mainCfg; - extraForeignModules = filter isAttrs extraModules; - extraApacheModules = filter isString extraModules; - - allHosts = [mainCfg] ++ mainCfg.virtualHosts; - - enableSSL = any (vhost: vhost.enableSSL) allHosts; + vhosts = attrValues mainCfg.virtualHosts; + mkListenInfo = hostOpts: + if hostOpts.listen != [] then hostOpts.listen + else ( + optional (hostOpts.onlySSL || hostOpts.addSSL || hostOpts.forceSSL) { ip = "*"; port = 443; ssl = true; } ++ + optional (!hostOpts.onlySSL) { ip = "*"; port = 80; ssl = false; } + ); - # Names of modules from ${httpd}/modules that we want to load. - apacheModules = - [ # HTTP authentication mechanisms: basic and digest. - "auth_basic" "auth_digest" + listenInfo = unique (concatMap mkListenInfo vhosts); - # Authentication: is the user who he claims to be? - "authn_file" "authn_dbm" "authn_anon" "authn_core" + enableSSL = any (listen: listen.ssl) listenInfo; - # Authorization: is the user allowed access? - "authz_user" "authz_groupfile" "authz_host" "authz_core" + enableUserDir = any (vhost: vhost.enableUserDir) vhosts; - # Other modules. - "ext_filter" "include" "log_config" "env" "mime_magic" - "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif" - "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" - "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" - "userdir" "alias" "rewrite" "proxy" "proxy_http" - "unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb" + # NOTE: generally speaking order of modules is very important + modules = + [ # required apache modules our httpd service cannot run without + "authn_core" "authz_core" + "log_config" + "mime" "autoindex" "negotiation" "dir" + "alias" "rewrite" + "unixd" "slotmem_shm" "socache_shmcb" "mpm_${mainCfg.multiProcessingModule}" - - # For compatibility with old configurations, the new module mod_access_compat is provided. - "access_compat" ] ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ optional enableSSL "ssl" - ++ extraApacheModules; + ++ optional enableUserDir "userdir" + ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; } + ++ optional mainCfg.enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; } + ++ optional mainCfg.enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } + ++ mainCfg.extraModules; allDenied = "Require all denied"; @@ -85,20 +73,22 @@ let browserHacks = '' - BrowserMatch "Mozilla/2" nokeepalive - BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 - BrowserMatch "RealPlayer 4\.0" force-response-1.0 - BrowserMatch "Java/1\.0" force-response-1.0 - BrowserMatch "JDK/1\.0" force-response-1.0 - BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully - BrowserMatch "^WebDrive" redirect-carefully - BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully - BrowserMatch "^gnome-vfs" redirect-carefully + <IfModule mod_setenvif.c> + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully + BrowserMatch "^WebDrive" redirect-carefully + BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully + BrowserMatch "^gnome-vfs" redirect-carefully + </IfModule> ''; sslConf = '' - SSLSessionCache shmcb:${mainCfg.stateDir}/ssl_scache(512000) + SSLSessionCache shmcb:${runtimeDir}/ssl_scache(512000) Mutex posixsem @@ -123,129 +113,144 @@ let </IfModule> ''; - - perServerConf = isMainServer: cfg: let - - # Canonical name must not include a trailing slash. - canonicalNames = - let defaultPort = (head (defaultListen cfg)).port; in - map (port: - (if cfg.enableSSL then "https" else "http") + "://" + - cfg.hostName + - (if port != defaultPort then ":${toString port}" else "") - ) (map (x: x.port) (getListen cfg)); - - maybeDocumentRoot = fold (svc: acc: - if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc - ) null ([ cfg ]); - - documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else - pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; - - documentRootConf = '' - DocumentRoot "${documentRoot}" - - <Directory "${documentRoot}"> - Options Indexes FollowSymLinks - AllowOverride None - ${allGranted} - </Directory> - ''; - - # If this is a vhost, the include the entries for the main server as well. - robotsTxt = concatStringsSep "\n" (filter (x: x != "") ([ cfg.robotsEntries ] ++ lib.optional (!isMainServer) mainCfg.robotsEntries)); - - in '' - ${concatStringsSep "\n" (map (n: "ServerName ${n}") canonicalNames)} - - ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases} - - ${if cfg.sslServerCert != null then '' - SSLCertificateFile ${cfg.sslServerCert} - SSLCertificateKeyFile ${cfg.sslServerKey} - ${if cfg.sslServerChain != null then '' - SSLCertificateChainFile ${cfg.sslServerChain} - '' else ""} - '' else ""} - - ${if cfg.enableSSL then '' - SSLEngine on - '' else if enableSSL then /* i.e., SSL is enabled for some host, but not this one */ - '' - SSLEngine off - '' else ""} - - ${if isMainServer || cfg.adminAddr != null then '' - ServerAdmin ${cfg.adminAddr} - '' else ""} - - ${if !isMainServer && mainCfg.logPerVirtualHost then '' - ErrorLog ${mainCfg.logDir}/error-${cfg.hostName}.log - CustomLog ${mainCfg.logDir}/access-${cfg.hostName}.log ${cfg.logFormat} - '' else ""} - - ${optionalString (robotsTxt != "") '' - Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt} - ''} - - ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""} - - ${if cfg.enableUserDir then '' - - UserDir public_html - UserDir disabled root - - <Directory "/home/*/public_html"> - AllowOverride FileInfo AuthConfig Limit Indexes - Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - <Limit GET POST OPTIONS> - ${allGranted} - </Limit> - <LimitExcept GET POST OPTIONS> - ${allDenied} - </LimitExcept> - </Directory> - - '' else ""} - - ${if cfg.globalRedirect != null && cfg.globalRedirect != "" then '' - RedirectPermanent / ${cfg.globalRedirect} - '' else ""} - - ${ - let makeFileConf = elem: '' - Alias ${elem.urlPath} ${elem.file} - ''; - in concatMapStrings makeFileConf cfg.servedFiles - } - - ${ - let makeDirConf = elem: '' - Alias ${elem.urlPath} ${elem.dir}/ - <Directory ${elem.dir}> - Options +Indexes - ${allGranted} - AllowOverride All - </Directory> - ''; - in concatMapStrings makeDirConf cfg.servedDirs - } - - ${cfg.extraConfig} - ''; + mkVHostConf = hostOpts: + let + adminAddr = if hostOpts.adminAddr != null then hostOpts.adminAddr else mainCfg.adminAddr; + listen = filter (listen: !listen.ssl) (mkListenInfo hostOpts); + listenSSL = filter (listen: listen.ssl) (mkListenInfo hostOpts); + + useACME = hostOpts.enableACME || hostOpts.useACMEHost != null; + sslCertDir = + if hostOpts.enableACME then config.security.acme.certs.${hostOpts.hostName}.directory + else if hostOpts.useACMEHost != null then config.security.acme.certs.${hostOpts.useACMEHost}.directory + else abort "This case should never happen."; + + sslServerCert = if useACME then "${sslCertDir}/full.pem" else hostOpts.sslServerCert; + sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey; + sslServerChain = if useACME then "${sslCertDir}/fullchain.pem" else hostOpts.sslServerChain; + + acmeChallenge = optionalString useACME '' + Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/" + <Directory "${hostOpts.acmeRoot}"> + AllowOverride None + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + Require method GET POST OPTIONS + Require all granted + </Directory> + ''; + in + optionalString (listen != []) '' + <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listen}> + ServerName ${hostOpts.hostName} + ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} + ServerAdmin ${adminAddr} + <IfModule mod_ssl.c> + SSLEngine off + </IfModule> + ${acmeChallenge} + ${if hostOpts.forceSSL then '' + <IfModule mod_rewrite.c> + RewriteEngine on + RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + </IfModule> + '' else mkVHostCommonConf hostOpts} + </VirtualHost> + '' + + optionalString (listenSSL != []) '' + <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listenSSL}> + ServerName ${hostOpts.hostName} + ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} + ServerAdmin ${adminAddr} + SSLEngine on + SSLCertificateFile ${sslServerCert} + SSLCertificateKeyFile ${sslServerKey} + ${optionalString (sslServerChain != null) "SSLCertificateChainFile ${sslServerChain}"} + ${acmeChallenge} + ${mkVHostCommonConf hostOpts} + </VirtualHost> + '' + ; + + mkVHostCommonConf = hostOpts: + let + documentRoot = if hostOpts.documentRoot != null + then hostOpts.documentRoot + else pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out" + ; + in + '' + ${optionalString mainCfg.logPerVirtualHost '' + ErrorLog ${mainCfg.logDir}/error-${hostOpts.hostName}.log + CustomLog ${mainCfg.logDir}/access-${hostOpts.hostName}.log ${hostOpts.logFormat} + ''} + + ${optionalString (hostOpts.robotsEntries != "") '' + Alias /robots.txt ${pkgs.writeText "robots.txt" hostOpts.robotsEntries} + ''} + + DocumentRoot "${documentRoot}" + + <Directory "${documentRoot}"> + Options Indexes FollowSymLinks + AllowOverride None + ${allGranted} + </Directory> + + ${optionalString hostOpts.enableUserDir '' + UserDir public_html + UserDir disabled root + <Directory "/home/*/public_html"> + AllowOverride FileInfo AuthConfig Limit Indexes + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + <Limit GET POST OPTIONS> + Require all granted + </Limit> + <LimitExcept GET POST OPTIONS> + Require all denied + </LimitExcept> + </Directory> + ''} + + ${optionalString (hostOpts.globalRedirect != null && hostOpts.globalRedirect != "") '' + RedirectPermanent / ${hostOpts.globalRedirect} + ''} + + ${ + let makeFileConf = elem: '' + Alias ${elem.urlPath} ${elem.file} + ''; + in concatMapStrings makeFileConf hostOpts.servedFiles + } + ${ + let makeDirConf = elem: '' + Alias ${elem.urlPath} ${elem.dir}/ + <Directory ${elem.dir}> + Options +Indexes + ${allGranted} + AllowOverride All + </Directory> + ''; + in concatMapStrings makeDirConf hostOpts.servedDirs + } + + ${hostOpts.extraConfig} + '' + ; confFile = pkgs.writeText "httpd.conf" '' ServerRoot ${httpd} + ServerName ${config.networking.hostName} + DefaultRuntimeDir ${runtimeDir}/runtime - DefaultRuntimeDir ${mainCfg.stateDir}/runtime - - PidFile ${mainCfg.stateDir}/httpd.pid + PidFile ${runtimeDir}/httpd.pid ${optionalString (mainCfg.multiProcessingModule != "prefork") '' # mod_cgid requires this. - ScriptSock ${mainCfg.stateDir}/cgisock + ScriptSock ${runtimeDir}/cgisock ''} <IfModule prefork.c> @@ -254,23 +259,21 @@ let </IfModule> ${let - listen = concatMap getListen allHosts; - toStr = listen: "Listen ${listenToString listen}\n"; - uniqueListen = uniqList {inputList = map toStr listen;}; - in concatStrings uniqueListen + toStr = listen: "Listen ${listen.ip}:${toString listen.port} ${if listen.ssl then "https" else "http"}"; + uniqueListen = uniqList {inputList = map toStr listenInfo;}; + in concatStringsSep "\n" uniqueListen } User ${mainCfg.user} Group ${mainCfg.group} ${let - load = {name, path}: "LoadModule ${name}_module ${path}\n"; - allModules = map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules - ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; } - ++ optional mainCfg.enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; } - ++ optional mainCfg.enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } - ++ extraForeignModules; - in concatMapStrings load (unique allModules) + mkModule = module: + if isString module then { name = module; path = "${httpd}/modules/mod_${module}.so"; } + else if isAttrs module then { inherit (module) name path; } + else throw "Expecting either a string or attribute set including a name and path."; + in + concatMapStringsSep "\n" (module: "LoadModule ${module.name}_module ${module.path}") (unique (map mkModule modules)) } AddHandler type-map var @@ -306,17 +309,9 @@ let ${allGranted} </Directory> - # Generate directives for the main server. - ${perServerConf true mainCfg} + ${mainCfg.extraConfig} - ${let - makeVirtualHost = vhost: '' - <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}> - ${perServerConf false vhost} - </VirtualHost> - ''; - in concatMapStrings makeVirtualHost mainCfg.virtualHosts - } + ${concatMapStringsSep "\n" mkVHostConf vhosts} ''; # Generate the PHP configuration file. Should probably be factored @@ -337,6 +332,22 @@ in imports = [ (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") + (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.") + + # virtualHosts options + (mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "enableSSL" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "enableUserDir" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "globalRedirect" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "hostName" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "listen" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "robotsEntries" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "servedDirs" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "servedFiles" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "serverAliases" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerCert" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerChain" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerKey" ] "Please define a virtual host using `services.httpd.virtualHosts`.") ]; ###### interface @@ -375,7 +386,7 @@ in type = types.lines; default = ""; description = '' - Cnfiguration lines appended to the generated Apache + Configuration lines appended to the generated Apache configuration file. Note that this mechanism may not work when <option>configFile</option> is overridden. ''; @@ -384,7 +395,12 @@ in extraModules = mkOption { type = types.listOf types.unspecified; default = []; - example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]''; + example = literalExample '' + [ + "proxy_connect" + { name = "jk"; path = "''${pkgs.tomcat_connectors}/modules/mod_jk.so"; } + ] + ''; description = '' Additional Apache modules to be used. These can be specified as a string in the case of modules distributed @@ -394,9 +410,25 @@ in ''; }; + adminAddr = mkOption { + type = types.str; + example = "admin@example.org"; + description = "E-mail address of the server administrator."; + }; + + logFormat = mkOption { + type = types.str; + default = "common"; + example = "combined"; + description = '' + Log format for log files. Possible values are: combined, common, referer, agent. + See <link xlink:href="https://httpd.apache.org/docs/2.4/logs.html"/> for more details. + ''; + }; + logPerVirtualHost = mkOption { type = types.bool; - default = false; + default = true; description = '' If enabled, each virtual host gets its own <filename>access.log</filename> and @@ -431,37 +463,29 @@ in ''; }; - stateDir = mkOption { - type = types.path; - default = "/run/httpd"; - description = '' - Directory for Apache's transient runtime state (such as PID - files). It is created automatically. Note that the default, - <filename>/run/httpd</filename>, is deleted at boot time. - ''; - }; - virtualHosts = mkOption { - type = types.listOf (types.submodule ( - { options = import ./per-server-options.nix { - inherit lib; - forMainServer = false; + type = with types; attrsOf (submodule (import ./per-server-options.nix)); + default = { + localhost = { + documentRoot = "${httpd}/htdocs"; + }; + }; + example = literalExample '' + { + "foo.example.com" = { + forceSSL = true; + documentRoot = "/var/www/foo.example.com" + }; + "bar.example.com" = { + addSSL = true; + documentRoot = "/var/www/bar.example.com"; }; - })); - default = []; - example = [ - { hostName = "foo"; - documentRoot = "/data/webroot-foo"; - } - { hostName = "bar"; - documentRoot = "/data/webroot-bar"; } - ]; + ''; description = '' - Specification of the virtual hosts served by Apache. Each + Specification of the virtual hosts served by Apache. Each element should be an attribute set specifying the - configuration of the virtual host. The available options - are the non-global options permissible for the main host. + configuration of the virtual host. ''; }; @@ -547,13 +571,7 @@ in example = "All -SSLv2 -SSLv3"; description = "Allowed SSL/TLS protocol versions."; }; - } - - # Include the options shared between the main server and virtual hosts. - // (import ./per-server-options.nix { - inherit lib; - forMainServer = true; - }); + }; }; @@ -562,11 +580,31 @@ in config = mkIf config.services.httpd.enable { - assertions = [ { assertion = mainCfg.enableSSL == true - -> mainCfg.sslServerCert != null - && mainCfg.sslServerKey != null; - message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } - ]; + assertions = [ + { + assertion = all (hostOpts: !hostOpts.enableSSL) vhosts; + message = '' + The option `services.httpd.virtualHosts.<name>.enableSSL` no longer has any effect; please remove it. + Select one of `services.httpd.virtualHosts.<name>.addSSL`, `services.httpd.virtualHosts.<name>.forceSSL`, + or `services.httpd.virtualHosts.<name>.onlySSL`. + ''; + } + { + assertion = all (hostOpts: with hostOpts; !(addSSL && onlySSL) && !(forceSSL && onlySSL) && !(addSSL && forceSSL)) vhosts; + message = '' + Options `services.httpd.virtualHosts.<name>.addSSL`, + `services.httpd.virtualHosts.<name>.onlySSL` and `services.httpd.virtualHosts.<name>.forceSSL` + are mutually exclusive. + ''; + } + { + assertion = all (hostOpts: !(hostOpts.enableACME && hostOpts.useACMEHost != null)) vhosts; + message = '' + Options `services.httpd.virtualHosts.<name>.enableACME` and + `services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive. + ''; + } + ]; users.users = optionalAttrs (mainCfg.user == "wwwrun") (singleton { name = "wwwrun"; @@ -580,6 +618,15 @@ in gid = config.ids.gids.wwwrun; }); + security.acme.certs = mapAttrs (name: hostOpts: { + user = mainCfg.user; + group = mkDefault mainCfg.group; + email = if hostOpts.adminAddr != null then hostOpts.adminAddr else mainCfg.adminAddr; + webroot = hostOpts.acmeRoot; + extraDomains = genAttrs hostOpts.serverAliases (alias: null); + postRun = "systemctl reload httpd.service"; + }) (filterAttrs (name: hostOpts: hostOpts.enableACME) mainCfg.virtualHosts); + environment.systemPackages = [httpd]; services.httpd.phpOptions = @@ -595,11 +642,37 @@ in date.timezone = "${config.time.timeZone}" ''; + services.httpd.extraModules = mkBefore [ + # HTTP authentication mechanisms: basic and digest. + "auth_basic" "auth_digest" + + # Authentication: is the user who he claims to be? + "authn_file" "authn_dbm" "authn_anon" + + # Authorization: is the user allowed access? + "authz_user" "authz_groupfile" "authz_host" + + # Other modules. + "ext_filter" "include" "env" "mime_magic" + "cern_meta" "expires" "headers" "usertrack" "setenvif" + "dav" "status" "asis" "info" "dav_fs" + "vhost_alias" "imagemap" "actions" "speling" + "proxy" "proxy_http" + "cache" "cache_disk" + + # For compatibility with old configurations, the new module mod_access_compat is provided. + "access_compat" + ]; + systemd.services.httpd = + let + vhostsACME = filter (hostOpts: hostOpts.enableACME) vhosts; + in { description = "Apache HTTPD"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "fs.target" ]; + wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME); + after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME; path = [ httpd pkgs.coreutils pkgs.gnugrep ] @@ -611,12 +684,6 @@ in preStart = '' - mkdir -m 0750 -p ${mainCfg.stateDir} - [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} - - mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" - [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" - mkdir -m 0700 -p ${mainCfg.logDir} # Get rid of old semaphores. These tend to accumulate across @@ -630,10 +697,13 @@ in serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}"; serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop"; serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful"; + serviceConfig.Group = mainCfg.group; serviceConfig.Type = "forking"; - serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid"; + serviceConfig.PIDFile = "${runtimeDir}/httpd.pid"; serviceConfig.Restart = "always"; serviceConfig.RestartSec = "5s"; + serviceConfig.RuntimeDirectory = "httpd httpd/runtime"; + serviceConfig.RuntimeDirectoryMode = "0750"; }; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix b/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix index c36207d5460..f2e92cda05f 100644 --- a/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix +++ b/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix @@ -1,174 +1,235 @@ -# This file defines the options that can be used both for the Apache -# main server configuration, and for the virtual hosts. (The latter -# has additional options that affect the web server as a whole, like -# the user/group to run under.) - -{ forMainServer, lib }: - -with lib; - +{ config, lib, name, ... }: +let + inherit (lib) mkOption types; +in { + options = { + + hostName = mkOption { + type = types.str; + default = name; + description = "Canonical hostname for the server."; + }; + + serverAliases = mkOption { + type = types.listOf types.str; + default = []; + example = ["www.example.org" "www.example.org:8080" "example.org"]; + description = '' + Additional names of virtual hosts served by this virtual host configuration. + ''; + }; + + listen = mkOption { + type = with types; listOf (submodule ({ + options = { + port = mkOption { + type = types.port; + description = "Port to listen on"; + }; + ip = mkOption { + type = types.str; + default = "*"; + description = "IP to listen on. 0.0.0.0 for IPv4 only, * for all."; + }; + ssl = mkOption { + type = types.bool; + default = false; + description = "Whether to enable SSL (https) support."; + }; + }; + })); + default = []; + example = [ + { ip = "195.154.1.1"; port = 443; ssl = true;} + { ip = "192.154.1.1"; port = 80; } + { ip = "*"; port = 8080; } + ]; + description = '' + Listen addresses and ports for this virtual host. + <note><para> + This option overrides <literal>addSSL</literal>, <literal>forceSSL</literal> and <literal>onlySSL</literal>. + </para></note> + ''; + }; + + enableSSL = mkOption { + type = types.bool; + visible = false; + default = false; + }; + + addSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTPS in addition to plain HTTP. This will set defaults for + <literal>listen</literal> to listen on all interfaces on the respective default + ports (80, 443). + ''; + }; + + onlySSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTPS and reject plain HTTP connections. This will set + defaults for <literal>listen</literal> to listen on all interfaces on port 443. + ''; + }; + + forceSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add a separate nginx server block that permanently redirects (301) + all plain HTTP traffic to HTTPS. This will set defaults for + <literal>listen</literal> to listen on all interfaces on the respective default + ports (80, 443), where the non-SSL listens are used for the redirect vhosts. + ''; + }; + + enableACME = mkOption { + type = types.bool; + default = false; + description = '' + Whether to ask Let's Encrypt to sign a certificate for this vhost. + Alternately, you can use an existing certificate through <option>useACMEHost</option>. + ''; + }; + + useACMEHost = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + A host of an existing Let's Encrypt certificate to use. + This is useful if you have many subdomains and want to avoid hitting the + <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>. + Alternately, you can generate a certificate through <option>enableACME</option>. + <emphasis>Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using <xref linkend="opt-security.acme.certs"/>.</emphasis> + ''; + }; + + acmeRoot = mkOption { + type = types.str; + default = "/var/lib/acme/acme-challenges"; + description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here"; + }; + + sslServerCert = mkOption { + type = types.path; + example = "/var/host.cert"; + description = "Path to server SSL certificate."; + }; + + sslServerKey = mkOption { + type = types.path; + example = "/var/host.key"; + description = "Path to server SSL certificate key."; + }; + + sslServerChain = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/ca.pem"; + description = "Path to server SSL chain file."; + }; + + adminAddr = mkOption { + type = types.nullOr types.str; + default = null; + example = "admin@example.org"; + description = "E-mail address of the server administrator."; + }; + + documentRoot = mkOption { + type = types.nullOr types.path; + default = null; + example = "/data/webserver/docs"; + description = '' + The path of Apache's document root directory. If left undefined, + an empty directory in the Nix store will be used as root. + ''; + }; + + servedDirs = mkOption { + type = types.listOf types.attrs; + default = []; + example = [ + { urlPath = "/nix"; + dir = "/home/eelco/Dev/nix-homepage"; + } + ]; + description = '' + This option provides a simple way to serve static directories. + ''; + }; + + servedFiles = mkOption { + type = types.listOf types.attrs; + default = []; + example = [ + { urlPath = "/foo/bar.png"; + file = "/home/eelco/some-file.png"; + } + ]; + description = '' + This option provides a simple way to serve individual, static files. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + <Directory /home> + Options FollowSymlinks + AllowOverride All + </Directory> + ''; + description = '' + These lines go to httpd.conf verbatim. They will go after + directories and directory aliases defined by default. + ''; + }; + + enableUserDir = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable serving <filename>~/public_html</filename> as + <literal>/~<replaceable>username</replaceable></literal>. + ''; + }; + + globalRedirect = mkOption { + type = types.nullOr types.str; + default = null; + example = http://newserver.example.org/; + description = '' + If set, all requests for this host are redirected permanently to + the given URL. + ''; + }; + + logFormat = mkOption { + type = types.str; + default = "common"; + example = "combined"; + description = '' + Log format for Apache's log files. Possible values are: combined, common, referer, agent. + ''; + }; + + robotsEntries = mkOption { + type = types.lines; + default = ""; + example = "Disallow: /foo/"; + description = '' + Specification of pages to be ignored by web crawlers. See <link + xlink:href='http://www.robotstxt.org/'/> for details. + ''; + }; - hostName = mkOption { - type = types.str; - default = "localhost"; - description = "Canonical hostname for the server."; - }; - - serverAliases = mkOption { - type = types.listOf types.str; - default = []; - example = ["www.example.org" "www.example.org:8080" "example.org"]; - description = '' - Additional names of virtual hosts served by this virtual host configuration. - ''; - }; - - listen = mkOption { - type = types.listOf (types.submodule ( - { - options = { - port = mkOption { - type = types.int; - description = "port to listen on"; - }; - ip = mkOption { - type = types.str; - default = "*"; - description = "Ip to listen on. 0.0.0.0 for ipv4 only, * for all."; - }; - }; - } )); - description = '' - List of { /* ip: "*"; */ port = 80;} to listen on - ''; - - default = []; - }; - - enableSSL = mkOption { - type = types.bool; - default = false; - description = "Whether to enable SSL (https) support."; }; - - # Note: sslServerCert and sslServerKey can be left empty, but this - # only makes sense for virtual hosts (they will inherit from the - # main server). - - sslServerCert = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/host.cert"; - description = "Path to server SSL certificate."; - }; - - sslServerKey = mkOption { - type = types.path; - example = "/var/host.key"; - description = "Path to server SSL certificate key."; - }; - - sslServerChain = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/ca.pem"; - description = "Path to server SSL chain file."; - }; - - adminAddr = mkOption ({ - type = types.nullOr types.str; - example = "admin@example.org"; - description = "E-mail address of the server administrator."; - } // (if forMainServer then {} else {default = null;})); - - documentRoot = mkOption { - type = types.nullOr types.path; - default = null; - example = "/data/webserver/docs"; - description = '' - The path of Apache's document root directory. If left undefined, - an empty directory in the Nix store will be used as root. - ''; - }; - - servedDirs = mkOption { - type = types.listOf types.attrs; - default = []; - example = [ - { urlPath = "/nix"; - dir = "/home/eelco/Dev/nix-homepage"; - } - ]; - description = '' - This option provides a simple way to serve static directories. - ''; - }; - - servedFiles = mkOption { - type = types.listOf types.attrs; - default = []; - example = [ - { urlPath = "/foo/bar.png"; - file = "/home/eelco/some-file.png"; - } - ]; - description = '' - This option provides a simple way to serve individual, static files. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - example = '' - <Directory /home> - Options FollowSymlinks - AllowOverride All - </Directory> - ''; - description = '' - These lines go to httpd.conf verbatim. They will go after - directories and directory aliases defined by default. - ''; - }; - - enableUserDir = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable serving <filename>~/public_html</filename> as - <literal>/~<replaceable>username</replaceable></literal>. - ''; - }; - - globalRedirect = mkOption { - type = types.nullOr types.str; - default = null; - example = http://newserver.example.org/; - description = '' - If set, all requests for this host are redirected permanently to - the given URL. - ''; - }; - - logFormat = mkOption { - type = types.str; - default = "common"; - example = "combined"; - description = '' - Log format for Apache's log files. Possible values are: combined, common, referer, agent. - ''; - }; - - robotsEntries = mkOption { - type = types.lines; - default = ""; - example = "Disallow: /foo/"; - description = '' - Specification of pages to be ignored by web crawlers. See <link - xlink:href='http://www.robotstxt.org/'/> for details. - ''; - }; - } diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index eb90dae94df..ada7a25604c 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -47,7 +47,7 @@ let '')); configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' - user ${cfg.user} ${cfg.group}; + pid /run/nginx/nginx.pid; error_log ${cfg.logError}; daemon off; @@ -366,12 +366,7 @@ in preStart = mkOption { type = types.lines; - default = '' - test -d ${cfg.stateDir}/logs || mkdir -m 750 -p ${cfg.stateDir}/logs - test `stat -c %a ${cfg.stateDir}` = "750" || chmod 750 ${cfg.stateDir} - test `stat -c %a ${cfg.stateDir}/logs` = "750" || chmod 750 ${cfg.stateDir}/logs - chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir} - ''; + default = ""; description = " Shell commands executed before the service's nginx is started. "; @@ -673,23 +668,36 @@ in } ]; + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -" + "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts); after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts; stopIfChanged = false; - preStart = - '' + preStart = '' ${cfg.preStart} - ${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir} -t - ''; + ${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}' -t + ''; serviceConfig = { - ExecStart = "${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir}"; + ExecStart = "${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}'"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "always"; RestartSec = "10s"; StartLimitInterval = "1min"; + # User and group + User = cfg.user; + Group = cfg.group; + # Runtime directory and mode + RuntimeDirectory = "nginx"; + RuntimeDirectoryMode = "0750"; + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; }; }; diff --git a/nixos/modules/services/web-servers/nginx/location-options.nix b/nixos/modules/services/web-servers/nginx/location-options.nix index aeb9b1dd79e..3d9e391ecf2 100644 --- a/nixos/modules/services/web-servers/nginx/location-options.nix +++ b/nixos/modules/services/web-servers/nginx/location-options.nix @@ -1,4 +1,4 @@ -# This file defines the options that can be used both for the Apache +# This file defines the options that can be used both for the Nginx # main server configuration, and for the virtual hosts. (The latter # has additional options that affect the web server as a whole, like # the user/group to run under.) @@ -67,7 +67,7 @@ with lib; return = mkOption { type = types.nullOr types.str; default = null; - example = "301 http://example.com$request_uri;"; + example = "301 http://example.com$request_uri"; description = '' Adds a return directive, for e.g. redirections. ''; @@ -92,4 +92,3 @@ with lib; }; }; } - diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 15b933c984a..455854e2a96 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -1,4 +1,4 @@ -# This file defines the options that can be used both for the Apache +# This file defines the options that can be used both for the Nginx # main server configuration, and for the virtual hosts. (The latter # has additional options that affect the web server as a whole, like # the user/group to run under.) @@ -207,6 +207,7 @@ with lib; default = null; description = '' Basic Auth password file for a vhost. + Can be created via: <command>htpasswd -c <filename> <username></command> ''; }; diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix index 4ab7e3f0c0a..2c73da10394 100644 --- a/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixos/modules/services/web-servers/phpfpm/default.nix @@ -31,7 +31,7 @@ let ''; passAsFile = [ "nixDefaults" "phpOptions" ]; } '' - cat $phpPackage/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out + cat ${poolOpts.phpPackage}/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out ''; poolOpts = { name, ... }: @@ -69,8 +69,6 @@ let phpOptions = mkOption { type = types.lines; - default = cfg.phpOptions; - defaultText = "config.services.phpfpm.phpOptions"; description = '' "Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool." ''; @@ -137,6 +135,7 @@ let config = { socket = if poolOpts.listen == "" then "${runtimeDir}/${name}.sock" else poolOpts.listen; group = mkDefault poolOpts.user; + phpOptions = mkBefore cfg.phpOptions; settings = mapAttrs (name: mkDefault){ listen = poolOpts.socket; @@ -147,6 +146,10 @@ let }; in { + imports = [ + (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.") + (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "") + ]; options = { services.phpfpm = { @@ -263,6 +266,7 @@ in { in { Slice = "phpfpm.slice"; PrivateDevices = true; + PrivateTmp = true; ProtectSystem = "full"; ProtectHome = true; # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work diff --git a/nixos/modules/services/web-servers/ttyd.nix b/nixos/modules/services/web-servers/ttyd.nix new file mode 100644 index 00000000000..01a01d97a23 --- /dev/null +++ b/nixos/modules/services/web-servers/ttyd.nix @@ -0,0 +1,196 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.ttyd; + + # Command line arguments for the ttyd daemon + args = [ "--port" (toString cfg.port) ] + ++ optionals (cfg.socket != null) [ "--interface" cfg.socket ] + ++ optionals (cfg.interface != null) [ "--interface" cfg.interface ] + ++ [ "--signal" (toString cfg.signal) ] + ++ (concatLists (mapAttrsToList (_k: _v: [ "--client-option" "${_k}=${_v}" ]) cfg.clientOptions)) + ++ [ "--terminal-type" cfg.terminalType ] + ++ optionals cfg.checkOrigin [ "--check-origin" ] + ++ [ "--max-clients" (toString cfg.maxClients) ] + ++ optionals (cfg.indexFile != null) [ "--index" cfg.indexFile ] + ++ optionals cfg.enableIPv6 [ "--ipv6" ] + ++ optionals cfg.enableSSL [ "--ssl-cert" cfg.certFile + "--ssl-key" cfg.keyFile + "--ssl-ca" cfg.caFile ] + ++ [ "--debug" (toString cfg.logLevel) ]; + +in + +{ + + ###### interface + + options = { + services.ttyd = { + enable = mkEnableOption "ttyd daemon"; + + port = mkOption { + type = types.int; + default = 7681; + description = "Port to listen on (use 0 for random port)"; + }; + + socket = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/run/ttyd.sock"; + description = "UNIX domain socket path to bind."; + }; + + interface = mkOption { + type = types.nullOr types.str; + default = null; + example = "eth0"; + description = "Network interface to bind."; + }; + + username = mkOption { + type = types.nullOr types.str; + default = null; + description = "Username for basic authentication."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + apply = value: if value == null then null else toString value; + description = '' + File containing the password to use for basic authentication. + For insecurely putting the password in the globally readable store use + <literal>pkgs.writeText "ttydpw" "MyPassword"</literal>. + ''; + }; + + signal = mkOption { + type = types.ints.u8; + default = 1; + description = "Signal to send to the command on session close."; + }; + + clientOptions = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample ''{ + fontSize = "16"; + fontFamily = "Fira Code"; + + }''; + description = '' + Attribute set of client options for xtermjs. + <link xlink:href="https://xtermjs.org/docs/api/terminal/interfaces/iterminaloptions/"/> + ''; + }; + + terminalType = mkOption { + type = types.str; + default = "xterm-256color"; + description = "Terminal type to report."; + }; + + checkOrigin = mkOption { + type = types.bool; + default = false; + description = "Whether to allow a websocket connection from a different origin."; + }; + + maxClients = mkOption { + type = types.int; + default = 0; + description = "Maximum clients to support (0, no limit)"; + }; + + indexFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Custom index.html path"; + }; + + enableIPv6 = mkOption { + type = types.bool; + default = false; + description = "Whether or not to enable IPv6 support."; + }; + + enableSSL = mkOption { + type = types.bool; + default = false; + description = "Whether or not to enable SSL (https) support."; + }; + + certFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "SSL certificate file path."; + }; + + keyFile = mkOption { + type = types.nullOr types.path; + default = null; + apply = value: if value == null then null else toString value; + description = '' + SSL key file path. + For insecurely putting the keyFile in the globally readable store use + <literal>pkgs.writeText "ttydKeyFile" "SSLKEY"</literal>. + ''; + }; + + caFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "SSL CA file path for client certificate verification."; + }; + + logLevel = mkOption { + type = types.int; + default = 7; + description = "Set log level."; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + assertions = + [ { assertion = cfg.enableSSL + -> cfg.certFile != null && cfg.keyFile != null && cfg.caFile != null; + message = "SSL is enabled for ttyd, but no certFile, keyFile or caFile has been specefied."; } + { assertion = ! (cfg.interface != null && cfg.socket != null); + message = "Cannot set both interface and socket for ttyd."; } + { assertion = (cfg.username != null) == (cfg.passwordFile != null); + message = "Need to set both username and passwordFile for ttyd"; } + ]; + + systemd.services.ttyd = { + description = "ttyd Web Server Daemon"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + # Runs login which needs to be run as root + # login: Cannot possibly work without effective root + User = "root"; + }; + + script = if cfg.passwordFile != null then '' + PASSWORD=$(cat ${escapeShellArg cfg.passwordFile}) + ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ + --credential ${escapeShellArg cfg.username}:"$PASSWORD" \ + ${pkgs.shadow}/bin/login + '' + else '' + ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ + ${pkgs.shadow}/bin/login + ''; + }; + }; +} diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index 32f6d475b34..b07212580a5 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -85,7 +85,7 @@ in { systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -" - ]; + ]; systemd.services.unit = { description = "Unit App Server"; @@ -93,23 +93,39 @@ in { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ curl ]; preStart = '' - test -f '/run/unit/control.unit.sock' || rm -f '/run/unit/control.unit.sock' + test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json' ''; postStart = '' curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' ''; serviceConfig = { - User = cfg.user; - Group = cfg.group; - AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; ExecStart = '' ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \ --user ${cfg.user} --group ${cfg.group} ''; + # User and group + User = cfg.user; + Group = cfg.group; + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + # Security + NoNewPrivileges = true; + # Sanboxing + ProtectSystem = "full"; + ProtectHome = true; RuntimeDirectory = "unit"; RuntimeDirectoryMode = "0750"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + PrivateMounts = true; }; }; diff --git a/nixos/modules/services/web-servers/varnish/default.nix b/nixos/modules/services/web-servers/varnish/default.nix index 63f967185c2..01fe3d12917 100644 --- a/nixos/modules/services/web-servers/varnish/default.nix +++ b/nixos/modules/services/web-servers/varnish/default.nix @@ -15,8 +15,8 @@ in package = mkOption { type = types.package; - default = pkgs.varnish5; - defaultText = "pkgs.varnish5"; + default = pkgs.varnish; + defaultText = "pkgs.varnish"; description = '' The package to use ''; @@ -48,7 +48,7 @@ in extraModules = mkOption { type = types.listOf types.package; default = []; - example = literalExample "[ pkgs.varnish5Packages.geoip ]"; + example = literalExample "[ pkgs.varnishPackages.geoip ]"; description = " Varnish modules (except 'std'). "; diff --git a/nixos/modules/services/x11/compton.nix b/nixos/modules/services/x11/compton.nix index a94a76ff0c0..61174672e2d 100644 --- a/nixos/modules/services/x11/compton.nix +++ b/nixos/modules/services/x11/compton.nix @@ -284,4 +284,6 @@ in { environment.systemPackages = [ pkgs.compton ]; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/x11/desktop-managers/cde.nix b/nixos/modules/services/x11/desktop-managers/cde.nix new file mode 100644 index 00000000000..c1b6d3bf064 --- /dev/null +++ b/nixos/modules/services/x11/desktop-managers/cde.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + xcfg = config.services.xserver; + cfg = xcfg.desktopManager.cde; +in { + options.services.xserver.desktopManager.cde = { + enable = mkEnableOption "Common Desktop Environment"; + }; + + config = mkIf (xcfg.enable && cfg.enable) { + services.rpcbind.enable = true; + + services.xinetd.enable = true; + services.xinetd.services = [ + { + name = "cmsd"; + protocol = "udp"; + user = "root"; + server = "${pkgs.cdesktopenv}/opt/dt/bin/rpc.cmsd"; + extraConfig = '' + type = RPC UNLISTED + rpc_number = 100068 + rpc_version = 2-5 + only_from = 127.0.0.1/0 + ''; + } + ]; + + users.groups.mail = {}; + security.wrappers = { + dtmail = { + source = "${pkgs.cdesktopenv}/bin/dtmail"; + group = "mail"; + setgid = true; + }; + }; + + system.activationScripts.setup-cde = '' + mkdir -p /var/dt/{tmp,appconfig/appmanager} + chmod a+w+t /var/dt/{tmp,appconfig/appmanager} + ''; + + services.xserver.desktopManager.session = [ + { name = "CDE"; + start = '' + exec ${pkgs.cdesktopenv}/opt/dt/bin/Xsession + ''; + }]; + }; + + meta.maintainers = [ maintainers.gnidorah ]; +} diff --git a/nixos/modules/services/x11/desktop-managers/default.nix b/nixos/modules/services/x11/desktop-managers/default.nix index dfb84113e13..970fa620c6b 100644 --- a/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixos/modules/services/x11/desktop-managers/default.nix @@ -18,9 +18,9 @@ in # determines the default: later modules (if enabled) are preferred. # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ - ./none.nix ./xterm.nix ./xfce.nix ./xfce4-14.nix ./plasma5.nix ./lumina.nix + ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix - ./mate.nix ./pantheon.nix ./surf-display.nix + ./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix ]; options = { @@ -86,23 +86,14 @@ in }; default = mkOption { - type = types.str; - default = ""; + type = types.nullOr types.str; + default = null; example = "none"; - description = "Default desktop manager loaded if none have been chosen."; - apply = defaultDM: - if defaultDM == "" && cfg.session.list != [] then - (head cfg.session.list).name - else if any (w: w.name == defaultDM) cfg.session.list then - defaultDM - else - builtins.trace '' - Default desktop manager (${defaultDM}) not found at evaluation time. - These are the known valid session names: - ${concatMapStringsSep "\n " (w: "services.xserver.desktopManager.default = \"${w.name}\";") cfg.session.list} - It's also possible the default can be found in one of these packages: - ${concatMapStringsSep "\n " (p: p.name) config.services.xserver.displayManager.extraSessionFilePackages} - '' defaultDM; + description = '' + <emphasis role="strong">Deprecated</emphasis>, please use <xref linkend="opt-services.xserver.displayManager.defaultSession"/> instead. + + Default desktop manager loaded if none have been chosen. + ''; }; }; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 3745069f6ea..04e82599b94 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -16,6 +16,10 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "e19" "enable" ] [ "services" "xserver" "desktopManager" "enlightenment" "enable" ]) + ]; + options = { services.xserver.desktopManager.enlightenment.enable = mkOption { diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 5ad31e5b9d0..6d9bd284bc7 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -144,7 +144,7 @@ in services.gnome3.core-shell.enable = true; services.gnome3.core-utilities.enable = mkDefault true; - services.xserver.displayManager.extraSessionFilePackages = [ pkgs.gnome3.gnome-session ]; + services.xserver.displayManager.sessionPackages = [ pkgs.gnome3.gnome-session ]; environment.extraInit = '' ${concatMapStrings (p: '' @@ -171,7 +171,7 @@ in }) (mkIf flashbackEnabled { - services.xserver.displayManager.extraSessionFilePackages = map + services.xserver.displayManager.sessionPackages = map (wm: pkgs.gnome3.gnome-flashback.mkSessionForWm { inherit (wm) wmName wmLabel wmCommand; }) (optional cfg.flashback.enableMetacity { @@ -184,6 +184,13 @@ in enableGnomeKeyring = true; }; + systemd.packages = with pkgs.gnome3; [ + gnome-flashback + ] ++ (map + (wm: gnome-flashback.mkSystemdTargetForWm { + inherit (wm) wmName; + }) cfg.flashback.customSessions); + services.dbus.packages = [ pkgs.gnome3.gnome-screensaver ]; @@ -217,6 +224,12 @@ in services.xserver.updateDbusEnvironment = true; + # gnome has a custom alert theme but it still + # inherits from the freedesktop theme. + environment.systemPackages = with pkgs; [ + sound-theme-freedesktop + ]; + # Needed for themes and backgrounds environment.pathsToLink = [ "/share" # TODO: https://github.com/NixOS/nixpkgs/issues/47173 @@ -265,6 +278,26 @@ in source-sans-pro ]; + ## Enable soft realtime scheduling, only supported on wayland ## + + security.wrappers.".gnome-shell-wrapped" = { + source = "${pkgs.gnome3.gnome-shell}/bin/.gnome-shell-wrapped"; + capabilities = "cap_sys_nice=ep"; + }; + + systemd.user.services.gnome-shell-wayland = let + gnomeShellRT = with pkgs.gnome3; pkgs.runCommand "gnome-shell-rt" {} '' + mkdir -p $out/bin/ + cp ${gnome-shell}/bin/gnome-shell $out/bin + sed -i "s@${gnome-shell}/bin/@${config.security.wrapperDir}/@" $out/bin/gnome-shell + ''; + in { + # Note we need to clear ExecStart before overriding it + serviceConfig.ExecStart = ["" "${gnomeShellRT}/bin/gnome-shell"]; + # Do not use the default environment, it provides a broken PATH + environment = mkForce {}; + }; + # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-32/elements/core/meta-gnome-core-shell.bst environment.systemPackages = with pkgs.gnome3; [ adwaita-icon-theme @@ -276,7 +309,7 @@ in gnome-shell gnome-shell-extensions gnome-themes-extra - gnome-user-docs + pkgs.gnome-user-docs pkgs.orca pkgs.glib # for gsettings pkgs.gnome-menus diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index fe63f36cf96..4a6f2ca727d 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -98,7 +98,6 @@ in services.gnome3.at-spi2-core.enable = true; services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-settings-daemon.enable = true; services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 80dab135ee2..b46a2d189ef 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.xserver.desktopManager.pantheon; + serviceCfg = config.services.pantheon; nixos-gsettings-desktop-schemas = pkgs.pantheon.elementary-gsettings-schemas.override { extraGSettingsOverridePackages = cfg.extraGSettingsOverridePackages; @@ -19,6 +20,16 @@ in options = { + services.pantheon = { + + contractor = { + enable = mkEnableOption "contractor, a desktop-wide extension service used by Pantheon"; + }; + + apps.enable = mkEnableOption "Pantheon default applications"; + + }; + services.xserver.desktopManager.pantheon = { enable = mkOption { type = types.bool; @@ -41,6 +52,18 @@ in ]; }; + extraWingpanelIndicators = mkOption { + default = null; + type = with types; nullOr (listOf package); + description = "Indicators to add to Wingpanel."; + }; + + extraSwitchboardPlugs = mkOption { + default = null; + type = with types; nullOr (listOf package); + description = "Plugs to add to Switchboard."; + }; + extraGSettingsOverrides = mkOption { default = ""; type = types.lines; @@ -67,124 +90,88 @@ in }; - config = mkIf cfg.enable { + config = mkMerge [ + (mkIf cfg.enable { - services.xserver.displayManager.extraSessionFilePackages = [ pkgs.pantheon.elementary-session-settings ]; + services.xserver.displayManager.sessionPackages = [ pkgs.pantheon.elementary-session-settings ]; - # Ensure lightdm is used when Pantheon is enabled - # Without it screen locking will be nonfunctional because of the use of lightlocker + # Ensure lightdm is used when Pantheon is enabled + # Without it screen locking will be nonfunctional because of the use of lightlocker + warnings = optional (config.services.xserver.displayManager.lightdm.enable != true) + '' + Using Pantheon without LightDM as a displayManager will break screenlocking from the UI. + ''; - warnings = optional (config.services.xserver.displayManager.lightdm.enable != true) - '' - Using Pantheon without LightDM as a displayManager will break screenlocking from the UI. + services.xserver.displayManager.lightdm.greeters.pantheon.enable = mkDefault true; + + # Without this, elementary LightDM greeter will pre-select non-existent `default` session + # https://github.com/elementary/greeter/issues/368 + services.xserver.displayManager.defaultSession = "pantheon"; + + services.xserver.displayManager.sessionCommands = '' + if test "$XDG_CURRENT_DESKTOP" = "Pantheon"; then + ${concatMapStrings (p: '' + if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then + export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} + fi + + if [ -d "${p}/lib/girepository-1.0" ]; then + export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib + fi + '') cfg.sessionPath} + fi ''; - services.xserver.displayManager.lightdm.greeters.pantheon.enable = mkDefault true; - - # If not set manually Pantheon session cannot be started - # Known issue of https://github.com/NixOS/nixpkgs/pull/43992 - services.xserver.desktopManager.default = mkForce "pantheon"; - - services.xserver.displayManager.sessionCommands = '' - if test "$XDG_CURRENT_DESKTOP" = "Pantheon"; then - ${concatMapStrings (p: '' - if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} - fi - - if [ -d "${p}/lib/girepository-1.0" ]; then - export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib - fi - '') cfg.sessionPath} - fi - ''; - - hardware.bluetooth.enable = mkDefault true; - hardware.pulseaudio.enable = mkDefault true; - security.polkit.enable = true; - services.accounts-daemon.enable = true; - services.bamf.enable = true; - services.colord.enable = mkDefault true; - services.pantheon.files.enable = mkDefault true; - services.tumbler.enable = mkDefault true; - services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.dbus.packages = with pkgs.pantheon; [ - switchboard-plug-power - elementary-default-settings - ]; - services.pantheon.contractor.enable = mkDefault true; - services.gnome3.at-spi2-core.enable = true; - services.gnome3.evolution-data-server.enable = true; - services.gnome3.glib-networking.enable = true; - # TODO: gnome-keyring's xdg autostarts will still be in the environment (from elementary-session-settings) if disabled forcefully - services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-settings-daemon.enable = true; - services.udev.packages = [ pkgs.pantheon.elementary-settings-daemon ]; - services.gvfs.enable = true; - services.gnome3.rygel.enable = mkDefault true; - services.gsignond.enable = mkDefault true; - services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; - services.udisks2.enable = true; - services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; - services.xserver.updateDbusEnvironment = true; - services.zeitgeist.enable = mkDefault true; - services.geoclue2.enable = mkDefault true; - # pantheon has pantheon-agent-geoclue2 - services.geoclue2.enableDemoAgent = false; - services.geoclue2.appConfig."io.elementary.desktop.agent-geoclue2" = { - isAllowed = true; - isSystem = true; - }; - - programs.dconf.enable = true; - programs.evince.enable = mkDefault true; - programs.file-roller.enable = mkDefault true; - # Otherwise you can't store NetworkManager Secrets with - # "Store the password only for this user" - programs.nm-applet.enable = true; - - # Shell integration for VTE terminals - programs.bash.vteIntegration = mkDefault true; - programs.zsh.vteIntegration = mkDefault true; - - # Harmonize Qt5 applications under Pantheon - qt5.enable = true; - qt5.platformTheme = "gnome"; - qt5.style = "adwaita"; - - networking.networkmanager.enable = mkDefault true; - - # Override GSettings schemas - environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; - - environment.sessionVariables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1"; - - # Settings from elementary-default-settings - environment.sessionVariables.GTK_CSD = "1"; - environment.sessionVariables.GTK_MODULES = "pantheon-filechooser-module"; - environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; - - environment.pathsToLink = [ - # FIXME: modules should link subdirs of `/share` rather than relying on this - "/share" - ]; - - environment.systemPackages = - pkgs.pantheon.artwork ++ pkgs.pantheon.desktop ++ pkgs.pantheon.services ++ cfg.sessionPath - ++ (with pkgs; gnome3.removePackagesByName - ([ - gnome3.geary - gnome3.epiphany - gnome3.gnome-font-viewer - ] ++ pantheon.apps) config.environment.pantheon.excludePackages) - ++ (with pkgs; - [ - adwaita-qt + # Default services + hardware.bluetooth.enable = mkDefault true; + hardware.pulseaudio.enable = mkDefault true; + security.polkit.enable = true; + services.accounts-daemon.enable = true; + services.bamf.enable = true; + services.colord.enable = mkDefault true; + services.tumbler.enable = mkDefault true; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.dbus.packages = with pkgs.pantheon; [ + switchboard-plug-power + elementary-default-settings # accountsservice extensions + ]; + services.pantheon.apps.enable = mkDefault true; + services.pantheon.contractor.enable = mkDefault true; + services.gnome3.at-spi2-core.enable = true; + services.gnome3.evolution-data-server.enable = true; + services.gnome3.glib-networking.enable = true; + services.gnome3.gnome-keyring.enable = true; + services.gvfs.enable = true; + services.gnome3.rygel.enable = mkDefault true; + services.gsignond.enable = mkDefault true; + services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; + services.udisks2.enable = true; + services.upower.enable = config.powerManagement.enable; + services.xserver.libinput.enable = mkDefault true; + services.xserver.updateDbusEnvironment = true; + services.zeitgeist.enable = mkDefault true; + services.geoclue2.enable = mkDefault true; + # pantheon has pantheon-agent-geoclue2 + services.geoclue2.enableDemoAgent = false; + services.geoclue2.appConfig."io.elementary.desktop.agent-geoclue2" = { + isAllowed = true; + isSystem = true; + }; + # Use gnome-settings-daemon fork + services.udev.packages = [ + pkgs.pantheon.elementary-settings-daemon + ]; + systemd.packages = [ + pkgs.pantheon.elementary-settings-daemon + ]; + programs.dconf.enable = true; + networking.networkmanager.enable = mkDefault true; + + # Global environment + environment.systemPackages = with pkgs; [ desktop-file-utils glib - glib-networking gnome-menus gnome3.adwaita-icon-theme gtk3.out @@ -196,19 +183,111 @@ in shared-mime-info sound-theme-freedesktop xdg-user-dirs - ]); + ] ++ (with pkgs.pantheon; [ + # Artwork + elementary-gtk-theme + elementary-icon-theme + elementary-sound-theme + elementary-wallpapers + + # Desktop + elementary-default-settings + elementary-session-settings + elementary-shortcut-overlay + gala + (switchboard-with-plugs.override { + plugs = cfg.extraSwitchboardPlugs; + }) + (wingpanel-with-indicators.override { + indicators = cfg.extraWingpanelIndicators; + }) + + # Services + cerbere + elementary-capnet-assist + elementary-dpms-helper + elementary-settings-daemon + pantheon-agent-geoclue2 + pantheon-agent-polkit + ]) ++ (gnome3.removePackagesByName [ + gnome3.geary + gnome3.epiphany + gnome3.gnome-font-viewer + ] config.environment.pantheon.excludePackages); - fonts.fonts = with pkgs; [ - open-sans - roboto-mono - pantheon.elementary-redacted-script # needed by screenshot-tool - ]; + programs.evince.enable = mkDefault true; + programs.file-roller.enable = mkDefault true; - fonts.fontconfig.defaultFonts = { - monospace = [ "Roboto Mono" ]; - sansSerif = [ "Open Sans" ]; - }; + # Settings from elementary-default-settings + environment.sessionVariables.GTK_CSD = "1"; + environment.sessionVariables.GTK3_MODULES = [ "pantheon-filechooser-module" ]; + environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; - }; + # Override GSettings schemas + environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; + + environment.sessionVariables.GNOME_SESSION_DEBUG = mkIf cfg.debug "1"; + + environment.pathsToLink = [ + # FIXME: modules should link subdirs of `/share` rather than relying on this + "/share" + ]; + + # Otherwise you can't store NetworkManager Secrets with + # "Store the password only for this user" + programs.nm-applet.enable = true; + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + + # Harmonize Qt5 applications under Pantheon + qt5.enable = true; + qt5.platformTheme = "gnome"; + qt5.style = "adwaita"; + + # Default Fonts + fonts.fonts = with pkgs; [ + open-sans + roboto-mono + ]; + + fonts.fontconfig.defaultFonts = { + monospace = [ "Roboto Mono" ]; + sansSerif = [ "Open Sans" ]; + }; + }) + + (mkIf serviceCfg.apps.enable { + environment.systemPackages = (with pkgs.pantheon; pkgs.gnome3.removePackagesByName [ + elementary-calculator + elementary-calendar + elementary-camera + elementary-code + elementary-files + elementary-music + elementary-photos + elementary-screenshot-tool + elementary-terminal + elementary-videos + ] config.environment.pantheon.excludePackages); + + # needed by screenshot-tool + fonts.fonts = [ + pkgs.pantheon.elementary-redacted-script + ]; + }) + + (mkIf serviceCfg.contractor.enable { + environment.systemPackages = with pkgs.pantheon; [ + contractor + extra-elementary-contracts + ]; + + environment.pathsToLink = [ + "/share/contractor" + ]; + }) + + ]; } diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index b6fb7218da6..fce274477b6 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -27,20 +27,14 @@ in example = "vlc"; description = "Phonon audio backend to install."; }; - - enableQt4Support = mkOption { - type = types.bool; - default = true; - description = '' - Enable support for Qt 4-based applications. Particularly, install a - default backend for Phonon. - ''; - }; - }; }; + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "plasma5" "enableQt4Support" ] "Phonon no longer supports Qt 4.") + (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "kde5" ] [ "services" "xserver" "desktopManager" "plasma5" ]) + ]; config = mkMerge [ (mkIf cfg.enable { @@ -173,12 +167,10 @@ in # Phonon audio backend ++ lib.optional (cfg.phononBackend == "gstreamer") libsForQt5.phonon-backend-gstreamer - ++ lib.optional (cfg.phononBackend == "gstreamer" && cfg.enableQt4Support) pkgs.phonon-backend-gstreamer ++ lib.optional (cfg.phononBackend == "vlc") libsForQt5.phonon-backend-vlc - ++ lib.optional (cfg.phononBackend == "vlc" && cfg.enableQt4Support) pkgs.phonon-backend-vlc # Optional hardware support features - ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt ] + ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt openobex obexftp ] ++ lib.optional config.networking.networkmanager.enable plasma-nm ++ lib.optional config.hardware.pulseaudio.enable plasma-pa ++ lib.optional config.powerManagement.enable powerdevil @@ -232,7 +224,6 @@ in security.pam.services.kdm.enableKwallet = true; security.pam.services.lightdm.enableKwallet = true; security.pam.services.sddm.enableKwallet = true; - security.pam.services.slim.enableKwallet = true; xdg.portal.enable = true; xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-kde ]; diff --git a/nixos/modules/services/x11/desktop-managers/surf-display.nix b/nixos/modules/services/x11/desktop-managers/surf-display.nix index 140dde828da..9aeb0bbd2a8 100644 --- a/nixos/modules/services/x11/desktop-managers/surf-display.nix +++ b/nixos/modules/services/x11/desktop-managers/surf-display.nix @@ -118,7 +118,7 @@ in { }; config = mkIf cfg.enable { - services.xserver.displayManager.extraSessionFilePackages = [ + services.xserver.displayManager.sessionPackages = [ pkgs.surf-display ]; diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 6965c6d2646..a08b1947f65 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -7,6 +7,33 @@ let in { + + imports = [ + # added 2019-08-18 + # needed to preserve some semblance of UI familarity + # with original XFCE module + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ] + [ "services" "xserver" "displayManager" "sessionCommands" ]) + + # added 2019-11-04 + # xfce4-14 module removed and promoted to xfce. + # Needed for configs that used xfce4-14 module to migrate to this one. + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "enable" ] + [ "services" "xserver" "desktopManager" "xfce" "enable" ]) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "noDesktop" ] + [ "services" "xserver" "desktopManager" "xfce" "noDesktop" ]) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "enableXfwm" ] + [ "services" "xserver" "desktopManager" "xfce" "enableXfwm" ]) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce" "extraSessionCommands" ] + [ "services" "xserver" "displayManager" "sessionCommands" ]) + (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "xfce" "screenLock" ] "") + ]; + options = { services.xserver.desktopManager.xfce = { enable = mkOption { @@ -30,14 +57,6 @@ in description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon)."; }; - extraSessionCommands = mkOption { - default = ""; - type = types.lines; - description = '' - Shell commands executed just before XFCE is started. - ''; - }; - enableXfwm = mkOption { type = types.bool; default = true; @@ -48,76 +67,101 @@ in config = mkIf cfg.enable { environment.systemPackages = with pkgs.xfce // pkgs; [ - # Get GTK themes and gtk-update-icon-cache - gtk2.out + glib # for gsettings + gtk3.out # gtk-update-icon-cache - # Supplies some abstract icons such as: - # utilities-terminal, accessories-text-editor + gnome3.gnome-themes-extra gnome3.adwaita-icon-theme - hicolor-icon-theme tango-icon-theme xfce4-icon-theme + desktop-file-utils + shared-mime-info # for update-mime-database + + # For a polkit authentication agent + polkit_gnome + # Needed by Xfce's xinitrc script - # TODO: replace with command -v - which + xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ exo garcon - gtk-xfce-engine libxfce4ui - tumbler xfconf mousepad + parole ristretto xfce4-appfinder xfce4-screenshooter xfce4-session xfce4-settings + xfce4-taskmanager xfce4-terminal (thunar.override { thunarPlugins = cfg.thunarPlugins; }) - thunar-volman # TODO: drop - ] ++ (if config.hardware.pulseaudio.enable - then [ xfce4-mixer-pulse xfce4-volumed-pulse ] - else [ xfce4-mixer xfce4-volumed ]) - # TODO: NetworkManager doesn't belong here - ++ optionals config.networking.networkmanager.enable [ networkmanagerapplet ] - ++ optionals config.powerManagement.enable [ xfce4-power-manager ] - ++ optionals cfg.enableXfwm [ xfwm4 ] - ++ optionals (!cfg.noDesktop) [ - xfce4-panel + ] # TODO: NetworkManager doesn't belong here + ++ optional config.networking.networkmanager.enable networkmanagerapplet + ++ optional config.powerManagement.enable xfce4-power-manager + ++ optionals config.hardware.pulseaudio.enable [ + pavucontrol + # volume up/down keys support: + # xfce4-pulseaudio-plugin includes all the functionalities of xfce4-volumed-pulse + # but can only be used with xfce4-panel, so for no-desktop usage we still include + # xfce4-volumed-pulse + (if cfg.noDesktop then xfce4-volumed-pulse else xfce4-pulseaudio-plugin) + ] ++ optionals cfg.enableXfwm [ + xfwm4 + xfwm4-themes + ] ++ optionals (!cfg.noDesktop) [ xfce4-notifyd + xfce4-panel xfdesktop ]; environment.pathsToLink = [ "/share/xfce4" - "/share/themes" - "/share/gtksourceview-2.0" + "/lib/xfce4" + "/share/gtksourceview-3.0" + "/share/gtksourceview-4.0" ]; - services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; - services.xserver.desktopManager.session = [{ name = "xfce"; bgSupport = true; start = '' - ${cfg.extraSessionCommands} - - ${pkgs.runtimeShell} ${pkgs.xfce.xinitrc} & + ${pkgs.runtimeShell} ${pkgs.xfce.xfce4-session.xinitrc} & waitPID=$! ''; }]; services.xserver.updateDbusEnvironment = true; + services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; # Enable helpful DBus services. services.udisks2.enable = true; + security.polkit.enable = true; + services.accounts-daemon.enable = true; services.upower.enable = config.powerManagement.enable; + services.gnome3.glib-networking.enable = true; services.gvfs.enable = true; services.gvfs.package = pkgs.xfce.gvfs; + services.tumbler.enable = true; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager + + # Enable default programs + programs.dconf.enable = true; + + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + + # Systemd services + systemd.packages = with pkgs.xfce; [ + (thunar.override { thunarPlugins = cfg.thunarPlugins; }) + ] ++ optional (!cfg.noDesktop) xfce4-notifyd; + }; } diff --git a/nixos/modules/services/x11/desktop-managers/xfce4-14.nix b/nixos/modules/services/x11/desktop-managers/xfce4-14.nix deleted file mode 100644 index ffc99172e79..00000000000 --- a/nixos/modules/services/x11/desktop-managers/xfce4-14.nix +++ /dev/null @@ -1,152 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.xserver.desktopManager.xfce4-14; -in - -{ - # added 2019-08-18 - # needed to preserve some semblance of UI familarity - # with original XFCE module - imports = [ - (mkRenamedOptionModule - [ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ] - [ "services" "xserver" "displayManager" "sessionCommands" ]) - ]; - - options = { - services.xserver.desktopManager.xfce4-14 = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the Xfce desktop environment."; - }; - - # TODO: support thunar plugins - # thunarPlugins = mkOption { - # default = []; - # type = types.listOf types.package; - # example = literalExample "[ pkgs.xfce4-14.thunar-archive-plugin ]"; - # description = '' - # A list of plugin that should be installed with Thunar. - # ''; - # }; - - noDesktop = mkOption { - type = types.bool; - default = false; - description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon)."; - }; - - enableXfwm = mkOption { - type = types.bool; - default = true; - description = "Enable the XFWM (default) window manager."; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = with pkgs.xfce4-14 // pkgs; [ - glib # for gsettings - gtk3.out # gtk-update-icon-cache - - gnome3.gnome-themes-extra - gnome3.adwaita-icon-theme - hicolor-icon-theme - tango-icon-theme - xfce4-icon-theme - - desktop-file-utils - shared-mime-info # for update-mime-database - - # For a polkit authentication agent - polkit_gnome - - # Needed by Xfce's xinitrc script - xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ - - exo - garcon - libxfce4ui - xfconf - - mousepad - parole - ristretto - xfce4-appfinder - xfce4-screenshooter - xfce4-session - xfce4-settings - xfce4-taskmanager - xfce4-terminal - - # TODO: resync patch for plugins - #(thunar.override { thunarPlugins = cfg.thunarPlugins; }) - thunar - ] # TODO: NetworkManager doesn't belong here - ++ optional config.networking.networkmanager.enable networkmanagerapplet - ++ optional config.powerManagement.enable xfce4-power-manager - ++ optionals config.hardware.pulseaudio.enable [ - pavucontrol - # volume up/down keys support: - # xfce4-pulseaudio-plugin includes all the functionalities of xfce4-volumed-pulse - # but can only be used with xfce4-panel, so for no-desktop usage we still include - # xfce4-volumed-pulse - (if cfg.noDesktop then xfce4-volumed-pulse else xfce4-pulseaudio-plugin) - ] ++ optionals cfg.enableXfwm [ - xfwm4 - xfwm4-themes - ] ++ optionals (!cfg.noDesktop) [ - xfce4-notifyd - xfce4-panel - xfdesktop - ]; - - environment.pathsToLink = [ - "/share/xfce4" - "/lib/xfce4" - "/share/gtksourceview-3.0" - "/share/gtksourceview-4.0" - ]; - - services.xserver.desktopManager.session = [{ - name = "xfce4-14"; - bgSupport = true; - start = '' - ${pkgs.runtimeShell} ${pkgs.xfce4-14.xinitrc} & - waitPID=$! - ''; - }]; - - services.xserver.updateDbusEnvironment = true; - services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; - - # Enable helpful DBus services. - services.udisks2.enable = true; - security.polkit.enable = true; - services.accounts-daemon.enable = true; - services.upower.enable = config.powerManagement.enable; - services.gnome3.glib-networking.enable = true; - services.gvfs.enable = true; - services.gvfs.package = pkgs.xfce.gvfs; - services.tumbler.enable = true; - services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager - - # Enable default programs - programs.dconf.enable = true; - - # Shell integration for VTE terminals - programs.bash.vteIntegration = mkDefault true; - programs.zsh.vteIntegration = mkDefault true; - - # Systemd services - systemd.packages = with pkgs.xfce4-14; [ - thunar - ] ++ optional (!cfg.noDesktop) xfce4-notifyd; - - }; -} diff --git a/nixos/modules/services/x11/display-managers/account-service-util.nix b/nixos/modules/services/x11/display-managers/account-service-util.nix new file mode 100644 index 00000000000..1dbe703b566 --- /dev/null +++ b/nixos/modules/services/x11/display-managers/account-service-util.nix @@ -0,0 +1,39 @@ +{ accountsservice +, glib +, gobject-introspection +, python3 +, wrapGAppsHook +}: + +python3.pkgs.buildPythonApplication { + name = "set-session"; + + format = "other"; + + src = ./set-session.py; + + dontUnpack = true; + + strictDeps = false; + + nativeBuildInputs = [ + wrapGAppsHook + gobject-introspection + ]; + + buildInputs = [ + accountsservice + glib + ]; + + propagatedBuildInputs = with python3.pkgs; [ + pygobject3 + ordered-set + ]; + + installPhase = '' + mkdir -p $out/bin + cp $src $out/bin/set-session + chmod +x $out/bin/set-session + ''; +} diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index bf6b048654b..2d809b5cc9f 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -1,9 +1,9 @@ # This module declares the options to define a *display manager*, the -# program responsible for handling X logins (such as xdm, gdb, or -# SLiM). The display manager allows the user to select a *session -# type*. When the user logs in, the display manager starts the +# program responsible for handling X logins (such as LightDM, GDM, or SDDM). +# The display manager allows the user to select a *session +# type*. When the user logs in, the display manager starts the # *session script* ("xsession" below) to launch the selected session -# type. The session type defines two things: the *desktop manager* +# type. The session type defines two things: the *desktop manager* # (e.g., KDE, Gnome or a plain xterm), and optionally the *window # manager* (e.g. kwin or twm). @@ -27,16 +27,7 @@ let Xft.hintstyle: hintslight ''; - mkCases = session: - concatStrings ( - mapAttrsToList (name: starts: '' - (${name}) - ${concatMapStringsSep "\n " (n: n.start) starts} - ;; - '') (lib.groupBy (n: n.name) session) - ); - - # file provided by services.xserver.displayManager.session.wrapper + # file provided by services.xserver.displayManager.sessionData.wrapper xsessionWrapper = pkgs.writeScript "xsession-wrapper" '' #! ${pkgs.bash}/bin/bash @@ -116,99 +107,47 @@ let # Run the supplied session command. Remove any double quotes with eval. eval exec "$@" else - # Fall back to the default window/desktopManager - exec ${cfg.displayManager.session.script} + # TODO: Do we need this? Should not the session always exist? + echo "error: unknown session $1" 1>&2 + exit 1 fi ''; - # file provided by services.xserver.displayManager.session.script - xsession = wm: dm: pkgs.writeScript "xsession" - '' - #! ${pkgs.bash}/bin/bash - - # Legacy session script used to construct .desktop files from - # `services.xserver.displayManager.session` entries. Called from - # `sessionWrapper`. - - # Expected parameters: - # $1 = <desktop-manager>+<window-manager> - - # The first argument of this script is the session type. - sessionType="$1" - if [ "$sessionType" = default ]; then sessionType=""; fi - - # The session type is "<desktop-manager>+<window-manager>", so - # extract those (see: - # http://wiki.bash-hackers.org/syntax/pe#substring_removal). - windowManager="''${sessionType##*+}" - : ''${windowManager:=${cfg.windowManager.default}} - desktopManager="''${sessionType%%+*}" - : ''${desktopManager:=${cfg.desktopManager.default}} - - # Start the window manager. - case "$windowManager" in - ${mkCases wm} - (*) echo "$0: Window manager '$windowManager' not found.";; - esac - - # Start the desktop manager. - case "$desktopManager" in - ${mkCases dm} - (*) echo "$0: Desktop manager '$desktopManager' not found.";; - esac - - ${optionalString cfg.updateDbusEnvironment '' - ${lib.getBin pkgs.dbus}/bin/dbus-update-activation-environment --systemd --all - ''} - - test -n "$waitPID" && wait "$waitPID" - - ${config.systemd.package}/bin/systemctl --user stop graphical-session.target - - exit 0 - ''; - - # Desktop Entry Specification: - # - https://standards.freedesktop.org/desktop-entry-spec/latest/ - # - https://standards.freedesktop.org/desktop-entry-spec/latest/ar01s06.html - mkDesktops = names: pkgs.runCommand "desktops" + installedSessions = pkgs.runCommand "desktops" { # trivial derivation preferLocalBuild = true; allowSubstitutes = false; } '' - mkdir -p "$out/share/xsessions" - ${concatMapStrings (n: '' - cat - > "$out/share/xsessions/${n}.desktop" << EODESKTOP - [Desktop Entry] - Version=1.0 - Type=XSession - TryExec=${cfg.displayManager.session.script} - Exec=${cfg.displayManager.session.script} "${n}" - Name=${n} - Comment= - EODESKTOP - '') names} + mkdir -p "$out/share/"{xsessions,wayland-sessions} ${concatMapStrings (pkg: '' + for n in ${concatStringsSep " " pkg.providedSessions}; do + if ! test -f ${pkg}/share/wayland-sessions/$n.desktop -o \ + -f ${pkg}/share/xsessions/$n.desktop; then + echo "Couldn't find provided session name, $n.desktop, in session package ${pkg.name}:" + echo " ${pkg}" + return 1 + fi + done + if test -d ${pkg}/share/xsessions; then ${xorg.lndir}/bin/lndir ${pkg}/share/xsessions $out/share/xsessions fi - '') cfg.displayManager.extraSessionFilePackages} - - - ${concatMapStrings (pkg: '' if test -d ${pkg}/share/wayland-sessions; then - mkdir -p "$out/share/wayland-sessions" ${xorg.lndir}/bin/lndir ${pkg}/share/wayland-sessions $out/share/wayland-sessions fi - '') cfg.displayManager.extraSessionFilePackages} + '') cfg.displayManager.sessionPackages} ''; + dmDefault = cfg.desktopManager.default; + wmDefault = cfg.windowManager.default; + + defaultSessionFromLegacyOptions = concatStringsSep "+" (filter (s: s != null) ([ dmDefault ] ++ optional (wmDefault != "none") wmDefault)); + in { - options = { services.xserver.displayManager = { @@ -263,11 +202,24 @@ in ''; }; - extraSessionFilePackages = mkOption { - type = types.listOf types.package; + sessionPackages = mkOption { + type = with types; listOf (package // { + description = "package with provided sessions"; + check = p: assertMsg + (package.check p && p ? providedSessions + && p.providedSessions != [] && all isString p.providedSessions) + '' + Package, '${p.name}', did not specify any session names, as strings, in + 'passthru.providedSessions'. This is required when used as a session package. + + The session names can be looked up in: + ${p}/share/xsessions + ${p}/share/wayland-sessions + ''; + }); default = []; description = '' - A list of packages containing xsession files to be passed to the display manager. + A list of packages containing x11 or wayland session files to be passed to the display manager. ''; }; @@ -298,18 +250,50 @@ in inside the display manager with the desktop manager name followed by the window manager name. ''; - apply = list: rec { - wm = filter (s: s.manage == "window") list; - dm = filter (s: s.manage == "desktop") list; - names = flip concatMap dm - (d: map (w: d.name + optionalString (w.name != "none") ("+" + w.name)) - (filter (w: d.name != "none" || w.name != "none") wm)); - desktops = mkDesktops names; - script = xsession wm dm; + }; + + sessionData = mkOption { + description = "Data exported for display managers’ convenience"; + internal = true; + default = {}; + apply = val: { wrapper = xsessionWrapper; + desktops = installedSessions; + sessionNames = concatMap (p: p.providedSessions) cfg.displayManager.sessionPackages; + # We do not want to force users to set defaultSession when they have only single DE. + autologinSession = + if cfg.displayManager.defaultSession != null then + cfg.displayManager.defaultSession + else if cfg.displayManager.sessionData.sessionNames != [] then + head cfg.displayManager.sessionData.sessionNames + else + null; }; }; + defaultSession = mkOption { + type = with types; nullOr str // { + description = "session name"; + check = d: + assertMsg (d != null -> (str.check d && elem d cfg.displayManager.sessionData.sessionNames)) '' + Default graphical session, '${d}', not found. + Valid names for 'services.xserver.displayManager.defaultSession' are: + ${concatStringsSep "\n " cfg.displayManager.sessionData.sessionNames} + ''; + }; + default = + if dmDefault != null || wmDefault != null then + defaultSessionFromLegacyOptions + else + null; + example = "gnome"; + description = '' + Graphical session to pre-select in the session chooser (only effective for GDM and LightDM). + + On GDM, LightDM and SDDM, it will also be used as a session for auto-login. + ''; + }; + job = { preStart = mkOption { @@ -322,7 +306,7 @@ in execCmd = mkOption { type = types.str; example = literalExample '' - "''${pkgs.slim}/bin/slim" + "''${pkgs.lightdm}/bin/lightdm" ''; description = "Command to start the display manager."; }; @@ -330,7 +314,6 @@ in environment = mkOption { type = types.attrsOf types.unspecified; default = {}; - example = { SLIM_CFGFILE = "/etc/slim.conf"; }; description = "Additional environment variables needed by the display manager."; }; @@ -359,6 +342,27 @@ in }; config = { + assertions = [ + { + assertion = cfg.desktopManager.default != null || cfg.windowManager.default != null -> cfg.displayManager.defaultSession == defaultSessionFromLegacyOptions; + message = "You cannot use both services.xserver.displayManager.defaultSession option and legacy options (services.xserver.desktopManager.default and services.xserver.windowManager.default)."; + } + ]; + + warnings = + mkIf (dmDefault != null || wmDefault != null) [ + '' + The following options are deprecated: + ${concatStringsSep "\n " (map ({c, t}: t) (filter ({c, t}: c != null) [ + { c = dmDefault; t = "- services.xserver.desktopManager.default"; } + { c = wmDefault; t = "- services.xserver.windowManager.default"; } + ]))} + Please use + services.xserver.displayManager.defaultSession = "${concatStringsSep "+" (filter (s: s != null) [ dmDefault wmDefault ])}"; + instead. + '' + ]; + services.xserver.displayManager.xserverBin = "${xorg.xorgserver.out}/bin/X"; systemd.user.targets.graphical-session = { @@ -367,11 +371,75 @@ in StopWhenUnneeded = false; }; }; + + # Create desktop files and scripts for starting sessions for WMs/DMs + # that do not have upstream session files (those defined using services.{display,desktop,window}Manager.session options). + services.xserver.displayManager.sessionPackages = + let + dms = filter (s: s.manage == "desktop") cfg.displayManager.session; + wms = filter (s: s.manage == "window") cfg.displayManager.session; + + # Script responsible for starting the window manager and the desktop manager. + xsession = wm: dm: pkgs.writeScript "xsession" '' + #! ${pkgs.bash}/bin/bash + + # Legacy session script used to construct .desktop files from + # `services.xserver.displayManager.session` entries. Called from + # `sessionWrapper`. + + # Start the window manager. + ${wm.start} + + # Start the desktop manager. + ${dm.start} + + ${optionalString cfg.updateDbusEnvironment '' + ${lib.getBin pkgs.dbus}/bin/dbus-update-activation-environment --systemd --all + ''} + + test -n "$waitPID" && wait "$waitPID" + + ${config.systemd.package}/bin/systemctl --user stop graphical-session.target + + exit 0 + ''; + in + # We will generate every possible pair of WM and DM. + concatLists ( + crossLists + (dm: wm: let + sessionName = "${dm.name}${optionalString (wm.name != "none") ("+" + wm.name)}"; + script = xsession dm wm; + in + optional (dm.name != "none" || wm.name != "none") + (pkgs.writeTextFile { + name = "${sessionName}-xsession"; + destination = "/share/xsessions/${sessionName}.desktop"; + # Desktop Entry Specification: + # - https://standards.freedesktop.org/desktop-entry-spec/latest/ + # - https://standards.freedesktop.org/desktop-entry-spec/latest/ar01s06.html + text = '' + [Desktop Entry] + Version=1.0 + Type=XSession + TryExec=${script} + Exec=${script} + Name=${sessionName} + ''; + } // { + providedSessions = [ sessionName ]; + }) + ) + [dms wms] + ); }; imports = [ - (mkRemovedOptionModule [ "services" "xserver" "displayManager" "desktopManagerHandlesLidAndPower" ] + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "desktopManagerHandlesLidAndPower" ] "The option is no longer necessary because all display managers have already delegated lid management to systemd.") + (mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ]) + (mkRenamedOptionModule [ "services" "xserver" "displayManager" "logToJournal" ] [ "services" "xserver" "displayManager" "job" "logToJournal" ]) + (mkRenamedOptionModule [ "services" "xserver" "displayManager" "extraSessionFilesPackages" ] [ "services" "xserver" "displayManager" "sessionPackages" ]) ]; } diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index e5990aec4b9..6630f012f04 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -31,6 +31,9 @@ let load-module module-position-event-sounds ''; + defaultSessionName = config.services.xserver.displayManager.defaultSession; + + setSessionScript = pkgs.callPackage ./account-service-util.nix { }; in { @@ -88,11 +91,21 @@ in wayland = mkOption { default = true; description = '' - Allow GDM run on Wayland instead of Xserver + Allow GDM to run on Wayland instead of Xserver. + Note to enable Wayland with Nvidia you need to + enable the <option>nvidiaWayland</option>. ''; type = types.bool; }; + nvidiaWayland = mkOption { + default = false; + description = '' + Whether to allow wayland to be used with the proprietary + NVidia graphics driver. + ''; + }; + autoSuspend = mkOption { default = true; description = '' @@ -138,7 +151,7 @@ in environment = { GDM_X_SERVER_EXTRA_ARGS = toString (filter (arg: arg != "-terminate") cfg.xserverArgs); - XDG_DATA_DIRS = "${cfg.session.desktops}/share/"; + XDG_DATA_DIRS = "${cfg.sessionData.desktops}/share/"; } // optionalAttrs (xSessionWrapper != null) { # Make GDM use this wrapper before running the session, which runs the # configured setupCommands. This relies on a patched GDM which supports @@ -156,11 +169,19 @@ in cat - > /run/gdm/.config/gnome-initial-setup-done <<- EOF yes EOF + '' + optionalString (defaultSessionName != null) '' + # Set default session in session chooser to a specified values – basically ignore session history. + ${setSessionScript}/bin/set-session ${cfg.sessionData.autologinSession} ''; }; - # Because sd_login_monitor_new requires /run/systemd/machines - systemd.services.display-manager.wants = [ "systemd-machined.service" ]; + systemd.services.display-manager.wants = [ + # Because sd_login_monitor_new requires /run/systemd/machines + "systemd-machined.service" + # setSessionScript wants AccountsService + "accounts-daemon.service" + ]; + systemd.services.display-manager.after = [ "rc-local.service" "systemd-machined.service" @@ -197,6 +218,19 @@ in services.dbus.packages = [ gdm ]; + # We duplicate upstream's udev rules manually to make wayland with nvidia configurable + services.udev.extraRules = '' + # disable Wayland on Cirrus chipsets + ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-disable-wayland" + # disable Wayland on Hi1710 chipsets + ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-disable-wayland" + ${optionalString (!cfg.gdm.nvidiaWayland) '' + DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-disable-wayland" + ''} + # disable Wayland when modesetting is disabled + IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-disable-wayland" + ''; + systemd.user.services.dbus.wantedBy = [ "default.target" ]; programs.dconf.profiles.gdm = @@ -218,7 +252,7 @@ in customDconfDb = pkgs.stdenv.mkDerivation { name = "gdm-dconf-db"; buildCommand = '' - ${pkgs.gnome3.dconf}/bin/dconf compile $out ${customDconf}/dconf + ${pkgs.dconf}/bin/dconf compile $out ${customDconf}/dconf ''; }; in pkgs.stdenv.mkDerivation { @@ -263,7 +297,7 @@ in ${optionalString cfg.gdm.debug "Enable=true"} ''; - environment.etc."gdm/Xsession".source = config.services.xserver.displayManager.session.wrapper; + environment.etc."gdm/Xsession".source = config.services.xserver.displayManager.sessionData.wrapper; # GDM LFS PAM modules, adapted somehow to NixOS security.pam.services = { diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix index fa9445af32e..0025f9b3603 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix @@ -53,9 +53,8 @@ in Whether to enable lightdm-mini-greeter as the lightdm greeter. Note that this greeter starts only the default X session. - You can configure the default X session by - <option>services.xserver.desktopManager.default</option> and - <option>services.xserver.windowManager.default</option>. + You can configure the default X session using + <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. ''; }; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix index 29cb6ccbc06..77c94114e6d 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix @@ -35,6 +35,9 @@ in name = "io.elementary.greeter"; }; + # Show manual login card. + services.xserver.displayManager.lightdm.extraSeatDefaults = "greeter-show-manual-login=true"; + environment.etc."lightdm/io.elementary.greeter.conf".source = "${pkgs.pantheon.elementary-greeter}/etc/lightdm/io.elementary.greeter.conf"; environment.etc."wingpanel.d/io.elementary.greeter.whitelist".source = "${pkgs.pantheon.elementary-default-settings}/etc/wingpanel.d/io.elementary.greeter.whitelist"; diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index cf4c05acbcc..f7face0adb7 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -8,10 +8,9 @@ let dmcfg = xcfg.displayManager; xEnv = config.systemd.services.display-manager.environment; cfg = dmcfg.lightdm; + sessionData = dmcfg.sessionData; - dmDefault = xcfg.desktopManager.default; - wmDefault = xcfg.windowManager.default; - hasDefaultUserSession = dmDefault != "none" || wmDefault != "none"; + setSessionScript = pkgs.callPackage ./account-service-util.nix { }; inherit (pkgs) lightdm writeScript writeText; @@ -45,22 +44,19 @@ let greeter-user = ${config.users.users.lightdm.name} greeters-directory = ${cfg.greeter.package} ''} - sessions-directory = ${dmcfg.session.desktops}/share/xsessions + sessions-directory = ${dmcfg.sessionData.desktops}/share/xsessions:${dmcfg.sessionData.desktops}/share/wayland-sessions ${cfg.extraConfig} [Seat:*] xserver-command = ${xserverWrapper} - session-wrapper = ${dmcfg.session.wrapper} + session-wrapper = ${dmcfg.sessionData.wrapper} ${optionalString cfg.greeter.enable '' greeter-session = ${cfg.greeter.name} ''} ${optionalString cfg.autoLogin.enable '' autologin-user = ${cfg.autoLogin.user} autologin-user-timeout = ${toString cfg.autoLogin.timeout} - autologin-session = ${defaultSessionName} - ''} - ${optionalString hasDefaultUserSession '' - user-session=${defaultSessionName} + autologin-session = ${sessionData.autologinSession} ''} ${optionalString (dmcfg.setupCommands != "") '' display-setup-script=${pkgs.writeScript "lightdm-display-setup" '' @@ -71,7 +67,6 @@ let ${cfg.extraSeatDefaults} ''; - defaultSessionName = dmDefault + optionalString (wmDefault != "none") ("+" + wmDefault); in { # Note: the order in which lightdm greeter modules are imported @@ -199,11 +194,9 @@ in LightDM auto-login requires services.xserver.displayManager.lightdm.autoLogin.user to be set ''; } - { assertion = cfg.autoLogin.enable -> dmDefault != "none" || wmDefault != "none"; + { assertion = cfg.autoLogin.enable -> sessionData.autologinSession != null; message = '' - LightDM auto-login requires that services.xserver.desktopManager.default and - services.xserver.windowManager.default are set to valid values. The current - default session: ${defaultSessionName} is not valid. + LightDM auto-login requires that services.xserver.displayManager.defaultSession is set. ''; } { assertion = !cfg.greeter.enable -> (cfg.autoLogin.enable && cfg.autoLogin.timeout == 0); @@ -214,6 +207,20 @@ in } ]; + # Set default session in session chooser to a specified values – basically ignore session history. + # Auto-login is already covered by a config value. + services.xserver.displayManager.job.preStart = optionalString (!cfg.autoLogin.enable && dmcfg.defaultSession != null) '' + ${setSessionScript}/bin/set-session ${dmcfg.defaultSession} + ''; + + # setSessionScript needs session-files in XDG_DATA_DIRS + services.xserver.displayManager.job.environment.XDG_DATA_DIRS = "${dmcfg.sessionData.desktops}/share/"; + + # setSessionScript wants AccountsService + systemd.services.display-manager.wants = [ + "accounts-daemon.service" + ]; + # lightdm relaunches itself via just `lightdm`, so needs to be on the PATH services.xserver.displayManager.job.execCmd = '' export PATH=${lightdm}/sbin:$PATH diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index 8847acb0c60..4224c557ed6 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -14,7 +14,7 @@ let xserverWrapper = pkgs.writeScript "xserver-wrapper" '' #!/bin/sh ${concatMapStrings (n: "export ${n}=\"${getAttr n xEnv}\"\n") (attrNames xEnv)} - exec systemd-cat ${dmcfg.xserverBin} ${toString dmcfg.xserverArgs} "$@" + exec systemd-cat -t xserver-wrapper ${dmcfg.xserverBin} ${toString dmcfg.xserverArgs} "$@" ''; Xsetup = pkgs.writeScript "Xsetup" '' @@ -50,8 +50,8 @@ let MinimumVT=${toString (if xcfg.tty != null then xcfg.tty else 7)} ServerPath=${xserverWrapper} XephyrPath=${pkgs.xorg.xorgserver.out}/bin/Xephyr - SessionCommand=${dmcfg.session.wrapper} - SessionDir=${dmcfg.session.desktops}/share/xsessions + SessionCommand=${dmcfg.sessionData.wrapper} + SessionDir=${dmcfg.sessionData.desktops}/share/xsessions XauthPath=${pkgs.xorg.xauth}/bin/xauth DisplayCommand=${Xsetup} DisplayStopCommand=${Xstop} @@ -59,26 +59,27 @@ let [Wayland] EnableHidpi=${if cfg.enableHidpi then "true" else "false"} - SessionDir=${dmcfg.session.desktops}/share/wayland-sessions + SessionDir=${dmcfg.sessionData.desktops}/share/wayland-sessions ${optionalString cfg.autoLogin.enable '' [Autologin] User=${cfg.autoLogin.user} - Session=${defaultSessionName}.desktop + Session=${autoLoginSessionName}.desktop Relogin=${boolToString cfg.autoLogin.relogin} ''} ${cfg.extraConfig} ''; - defaultSessionName = - let - dm = xcfg.desktopManager.default; - wm = xcfg.windowManager.default; - in dm + optionalString (wm != "none") ("+" + wm); + autoLoginSessionName = dmcfg.sessionData.autologinSession; in { + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ] + "Set the option `services.xserver.displayManager.sddm.package' instead.") + ]; + options = { services.xserver.displayManager.sddm = { @@ -205,11 +206,9 @@ in SDDM auto-login requires services.xserver.displayManager.sddm.autoLogin.user to be set ''; } - { assertion = cfg.autoLogin.enable -> elem defaultSessionName dmcfg.session.names; + { assertion = cfg.autoLogin.enable -> autoLoginSessionName != null; message = '' - SDDM auto-login requires that services.xserver.desktopManager.default and - services.xserver.windowManager.default are set to valid values. The current - default session: ${defaultSessionName} is not valid. + SDDM auto-login requires that services.xserver.displayManager.defaultSession is set. ''; } ]; diff --git a/nixos/modules/services/x11/display-managers/set-session.py b/nixos/modules/services/x11/display-managers/set-session.py new file mode 100755 index 00000000000..0cca80af44e --- /dev/null +++ b/nixos/modules/services/x11/display-managers/set-session.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python + +import gi, argparse, os, logging, sys + +gi.require_version("AccountsService", "1.0") +from gi.repository import AccountsService, GLib +from ordered_set import OrderedSet + + +def get_session_file(session): + system_data_dirs = GLib.get_system_data_dirs() + + session_dirs = OrderedSet( + os.path.join(data_dir, session) + for data_dir in system_data_dirs + for session in {"wayland-sessions", "xsessions"} + ) + + session_files = OrderedSet( + os.path.join(dir, session + ".desktop") + for dir in session_dirs + if os.path.exists(os.path.join(dir, session + ".desktop")) + ) + + # Deal with duplicate wayland-sessions and xsessions. + # Needed for the situation in gnome-session, where there's + # a xsession named the same as a wayland session. + if any(map(is_session_wayland, session_files)): + session_files = OrderedSet( + session for session in session_files if is_session_wayland(session) + ) + else: + session_files = OrderedSet( + session for session in session_files if is_session_xsession(session) + ) + + if len(session_files) == 0: + logging.warning("No session files are found.") + sys.exit(0) + else: + return session_files[0] + + +def is_session_xsession(session_file): + return "/xsessions/" in session_file + + +def is_session_wayland(session_file): + return "/wayland-sessions/" in session_file + + +def main(): + parser = argparse.ArgumentParser( + description="Set session type for all normal users." + ) + parser.add_argument("session", help="Name of session to set.") + + args = parser.parse_args() + + session = getattr(args, "session") + session_file = get_session_file(session) + + user_manager = AccountsService.UserManager.get_default() + users = user_manager.list_users() + + for user in users: + if user.is_system_account(): + continue + else: + if is_session_wayland(session_file): + logging.debug( + f"Setting session name: {session}, as we found the existing wayland-session: {session_file}" + ) + user.set_session(session) + elif is_session_xsession(session_file): + logging.debug( + f"Setting session name: {session}, as we found the existing xsession: {session_file}" + ) + user.set_x_session(session) + else: + logging.error(f"Couldn't figure out session type for {session_file}") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/nixos/modules/services/x11/display-managers/slim.nix b/nixos/modules/services/x11/display-managers/slim.nix index 124660a43f0..4b0948a5b7a 100644 --- a/nixos/modules/services/x11/display-managers/slim.nix +++ b/nixos/modules/services/x11/display-managers/slim.nix @@ -2,155 +2,15 @@ with lib; -let - - dmcfg = config.services.xserver.displayManager; - - cfg = dmcfg.slim; - - slimConfig = pkgs.writeText "slim.cfg" - '' - xauth_path ${dmcfg.xauthBin} - default_xserver ${dmcfg.xserverBin} - xserver_arguments ${toString dmcfg.xserverArgs} - sessiondir ${dmcfg.session.desktops}/share/xsessions - login_cmd exec ${pkgs.runtimeShell} ${dmcfg.session.wrapper} "%session" - halt_cmd ${config.systemd.package}/sbin/shutdown -h now - reboot_cmd ${config.systemd.package}/sbin/shutdown -r now - logfile /dev/stderr - ${optionalString (cfg.defaultUser != null) ("default_user " + cfg.defaultUser)} - ${optionalString (cfg.defaultUser != null) ("focus_password yes")} - ${optionalString cfg.autoLogin "auto_login yes"} - ${optionalString (cfg.consoleCmd != null) "console_cmd ${cfg.consoleCmd}"} - ${cfg.extraConfig} - ''; - - # Unpack the SLiM theme, or use the default. - slimThemesDir = - let - unpackedTheme = pkgs.runCommand "slim-theme" { preferLocalBuild = true; } - '' - mkdir -p $out - cd $out - unpackFile ${cfg.theme} - ln -s * default - ''; - in if cfg.theme == null then "${pkgs.slim}/share/slim/themes" else unpackedTheme; - -in - { - - ###### interface - - options = { - - services.xserver.displayManager.slim = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable SLiM as the display manager. - ''; - }; - - theme = mkOption { - type = types.nullOr types.path; - default = pkgs.fetchurl { - url = "https://github.com/jagajaga/nixos-slim-theme/archive/2.0.tar.gz"; - sha256 = "0lldizhigx7bjhxkipii87y432hlf5wdvamnfxrryf9z7zkfypc8"; - }; - defaultText = ''pkgs.fetchurl { - url = "https://github.com/jagajaga/nixos-slim-theme/archive/2.0.tar.gz"; - sha256 = "0lldizhigx7bjhxkipii87y432hlf5wdvamnfxrryf9z7zkfypc8"; - }''; - example = literalExample '' - pkgs.fetchurl { - url = "mirror://sourceforge/slim.berlios/slim-wave.tar.gz"; - sha256 = "0ndr419i5myzcylvxb89m9grl2xyq6fbnyc3lkd711mzlmnnfxdy"; - } - ''; - description = '' - The theme for the SLiM login manager. If not specified, SLiM's - default theme is used. See <link - xlink:href='http://slim.berlios.de/themes01.php'/> for a - collection of themes. TODO: berlios shut down. - ''; - }; - - defaultUser = mkOption { - type = types.nullOr types.str; - default = null; - example = "login"; - description = '' - The default user to load. If you put a username here you - get it automatically loaded into the username field, and - the focus is placed on the password. - ''; - }; - - autoLogin = mkOption { - type = types.bool; - default = false; - description = '' - Automatically log in as the default user. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Extra configuration options for SLiM login manager. Do not - add options that can be configured directly. - ''; - }; - - consoleCmd = mkOption { - type = types.nullOr types.str; - default = '' - ${pkgs.xterm}/bin/xterm -C -fg white -bg black +sb -T "Console login" -e ${pkgs.shadow}/bin/login - ''; - defaultText = '' - ''${pkgs.xterm}/bin/xterm -C -fg white -bg black +sb -T "Console login" -e ''${pkgs.shadow}/bin/login - ''; - description = '' - The command to run when "console" is given as the username. - ''; - }; - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - services.xserver.displayManager.job = - { environment = - { SLIM_CFGFILE = slimConfig; - SLIM_THEMESDIR = slimThemesDir; - }; - execCmd = "exec ${pkgs.slim}/bin/slim"; - }; - - services.xserver.displayManager.sessionCommands = - '' - # Export the config/themes for slimlock. - export SLIM_THEMESDIR=${slimThemesDir} - ''; - - # Allow null passwords so that the user can login as root on the - # installation CD. - security.pam.services.slim = { allowNullPassword = true; startSession = true; }; - - # Allow slimlock to work. - security.pam.services.slimlock = {}; - - environment.systemPackages = [ pkgs.slim ]; - - }; - + # added 2019-11-11 + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "slim" ] '' + The SLIM project is abandoned and their last release was in 2013. + Because of this it poses a security risk to your system. + Other issues include it not fully supporting systemd and logind sessions. + Please use a different display manager such as LightDM, SDDM, or GDM. + You can also use the startx module which uses Xinitrc. + '') + ]; } diff --git a/nixos/modules/services/x11/hardware/libinput.nix b/nixos/modules/services/x11/hardware/libinput.nix index 4a25232383d..71065dfc26b 100644 --- a/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixos/modules/services/x11/hardware/libinput.nix @@ -209,12 +209,12 @@ in { services.xserver.config = '' - # Automatically enable the libinput driver for all touchpads. + # General libinput configuration. + # See CONFIGURATION DETAILS section of man:libinput(4). Section "InputClass" Identifier "libinputConfiguration" - MatchIsTouchpad "on" + MatchDriver "libinput" ${optionalString (cfg.dev != null) ''MatchDevicePath "${cfg.dev}"''} - Driver "libinput" Option "AccelProfile" "${cfg.accelProfile}" ${optionalString (cfg.accelSpeed != null) ''Option "AccelSpeed" "${cfg.accelSpeed}"''} ${optionalString (cfg.buttonMapping != null) ''Option "ButtonMapping" "${cfg.buttonMapping}"''} diff --git a/nixos/modules/services/x11/imwheel.nix b/nixos/modules/services/x11/imwheel.nix new file mode 100644 index 00000000000..3923df498e7 --- /dev/null +++ b/nixos/modules/services/x11/imwheel.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.xserver.imwheel; +in + { + options = { + services.xserver.imwheel = { + enable = mkEnableOption "IMWheel service"; + + extraOptions = mkOption { + type = types.listOf types.str; + default = [ "--buttons=45" ]; + example = [ "--debug" ]; + description = '' + Additional command-line arguments to pass to + <command>imwheel</command>. + ''; + }; + + rules = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample '' + ".*" = ''' + None, Up, Button4, 8 + None, Down, Button5, 8 + Shift_L, Up, Shift_L|Button4, 4 + Shift_L, Down, Shift_L|Button5, 4 + Control_L, Up, Control_L|Button4 + Control_L, Down, Control_L|Button5 + '''; + ''; + description = '' + Window class translation rules. + /etc/X11/imwheelrc is generated based on this config + which means this config is global for all users. + See <link xlink:href="http://imwheel.sourceforge.net/imwheel.1.html">offical man pages</link> + for more informations. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.imwheel ]; + + environment.etc."X11/imwheel/imwheelrc".source = + pkgs.writeText "imwheelrc" (concatStringsSep "\n\n" + (mapAttrsToList + (rule: conf: "\"${rule}\"\n${conf}") cfg.rules + )); + + systemd.user.services.imwheel = { + description = "imwheel service"; + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + serviceConfig = { + ExecStart = "${pkgs.imwheel}/bin/imwheel " + escapeShellArgs ([ + "--detach" + "--kill" + ] ++ cfg.extraOptions); + ExecStop = "${pkgs.procps}/bin/pkill imwheel"; + Restart = "on-failure"; + }; + }; + }; + } diff --git a/nixos/modules/services/x11/unclutter.nix b/nixos/modules/services/x11/unclutter.nix index 5f16a680050..2478aaabb79 100644 --- a/nixos/modules/services/x11/unclutter.nix +++ b/nixos/modules/services/x11/unclutter.nix @@ -71,4 +71,7 @@ in { serviceConfig.Restart = "always"; }; }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/x11/urxvtd.nix b/nixos/modules/services/x11/urxvtd.nix index d916fa5bb39..9bfcfa9b065 100644 --- a/nixos/modules/services/x11/urxvtd.nix +++ b/nixos/modules/services/x11/urxvtd.nix @@ -45,4 +45,6 @@ in { environment.variables.RXVT_SOCKET = "/run/user/$(id -u)/urxvtd-socket"; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix index c17f3830d0e..04a9fc46628 100644 --- a/nixos/modules/services/x11/window-managers/default.nix +++ b/nixos/modules/services/x11/window-managers/default.nix @@ -59,15 +59,14 @@ in }; default = mkOption { - type = types.str; - default = "none"; + type = types.nullOr types.str; + default = null; example = "wmii"; - description = "Default window manager loaded if none have been chosen."; - apply = defaultWM: - if any (w: w.name == defaultWM) cfg.session then - defaultWM - else - throw "Default window manager (${defaultWM}) not found."; + description = '' + <emphasis role="strong">Deprecated</emphasis>, please use <xref linkend="opt-services.xserver.displayManager.defaultSession"/> instead. + + Default window manager loaded if none have been chosen. + ''; }; }; diff --git a/nixos/modules/services/x11/window-managers/xmonad.nix b/nixos/modules/services/x11/window-managers/xmonad.nix index 0e131412276..30c59b88f82 100644 --- a/nixos/modules/services/x11/window-managers/xmonad.nix +++ b/nixos/modules/services/x11/window-managers/xmonad.nix @@ -86,7 +86,7 @@ in ${xmonadBin} waitPID=$! '' else '' - ${xmonad}/bin/xmonad & + systemd-cat -t xmonad ${xmonad}/bin/xmonad & waitPID=$! ''; }]; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index a8406544a72..1f6ee7cfffd 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -149,6 +149,8 @@ in [ ./display-managers/default.nix ./window-managers/default.nix ./desktop-managers/default.nix + (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ] + "See the 16.09 release notes for more information.") ]; @@ -557,7 +559,6 @@ in default = !( dmconf.auto.enable || dmconf.gdm.enable || dmconf.sddm.enable - || dmconf.slim.enable || dmconf.xpra.enable ); in mkIf (default) true; diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index a32c9dc1f2b..a677ab4cb71 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -134,6 +134,10 @@ let }; in { + imports = [ + (lib.mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ]) + ]; + options = { boot.binfmt = { registrations = mkOption { diff --git a/nixos/modules/system/boot/grow-partition.nix b/nixos/modules/system/boot/grow-partition.nix index 8c9b1502558..71a86c74772 100644 --- a/nixos/modules/system/boot/grow-partition.nix +++ b/nixos/modules/system/boot/grow-partition.nix @@ -7,6 +7,9 @@ with lib; { + imports = [ + (mkRenamedOptionModule [ "virtualisation" "growPartition" ] [ "boot" "growPartition" ]) + ]; options = { boot.growPartition = mkEnableOption "grow the root partition on boot"; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index e13f0421d38..9a4db84f7b7 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -47,8 +47,8 @@ let grub = f grub; grubTarget = f (grub.grubTarget or ""); shell = "${pkgs.runtimeShell}"; - fullName = (builtins.parseDrvName realGrub.name).name; - fullVersion = (builtins.parseDrvName realGrub.name).version; + fullName = lib.getName realGrub; + fullVersion = lib.getVersion realGrub; grubEfi = f grubEfi; grubTargetEfi = if cfg.efiSupport && (cfg.version == 2) then f (grubEfi.grubTarget or "") else ""; bootPath = args.path; diff --git a/nixos/modules/system/boot/loader/loader.nix b/nixos/modules/system/boot/loader/loader.nix index 7fbda9ef0f5..01475f79b9c 100644 --- a/nixos/modules/system/boot/loader/loader.nix +++ b/nixos/modules/system/boot/loader/loader.nix @@ -3,6 +3,11 @@ with lib; { + imports = [ + (mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ]) + (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ]) + ]; + options = { boot.loader.timeout = mkOption { default = 5; @@ -12,4 +17,4 @@ with lib; ''; }; }; -} \ No newline at end of file +} diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index a4029d766b0..0bb8396a44f 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -126,7 +126,7 @@ let gpg-agent --daemon --scdaemon-program $out/bin/scdaemon > /dev/null 2> /dev/null ''} - + # Disable all input echo for the whole stage. We could use read -s # instead but that would ocasionally leak characters between read # invocations. @@ -417,6 +417,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") + ]; options = { diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 85a106527fe..58d914d0810 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -10,8 +10,8 @@ let checkLink = checkUnitConfig "Link" [ (assertOnlyFields [ - "Description" "Alias" "MACAddressPolicy" "MACAddress" "NamePolicy" "OriginalName" - "MTUBytes" "BitsPerSecond" "Duplex" "AutoNegotiation" "WakeOnLan" "Port" + "Description" "Alias" "MACAddressPolicy" "MACAddress" "NamePolicy" "Name" "OriginalName" + "MTUBytes" "BitsPerSecond" "Duplex" "AutoNegotiation" "WakeOnLan" "Port" "Advertise" "TCPSegmentationOffload" "TCP6SegmentationOffload" "GenericSegmentationOffload" "GenericReceiveOffload" "LargeReceiveOffload" "RxChannels" "TxChannels" "OtherChannels" "CombinedChannels" @@ -201,7 +201,7 @@ let (assertValueOneOf "IPv6AcceptRA" boolValues) (assertValueOneOf "IPv4ProxyARP" boolValues) (assertValueOneOf "IPv6ProxyNDP" boolValues) - (assertValueOneOf "IPv6PrefixDelegation" boolValues) + (assertValueOneOf "IPv6PrefixDelegation" (boolValues ++ [ "dhcpv6" "static" ])) (assertValueOneOf "ActiveSlave" boolValues) (assertValueOneOf "PrimarySlave" boolValues) (assertValueOneOf "ConfigureWithoutCarrier" boolValues) @@ -276,7 +276,7 @@ let (assertValueOneOf "ARP" boolValues) (assertValueOneOf "Multicast" boolValues) (assertValueOneOf "Unmanaged" boolValues) - (assertValueOneOf "RequiredForOnline" boolValues) + (assertValueOneOf "RequiredForOnline" (boolValues ++ ["off" "no-carrier" "dormant" "degraded-carrier" "carrier" "degraded" "enslaved" "routable"])) ]; @@ -924,6 +924,8 @@ in config = mkIf config.systemd.network.enable { + users.users.systemd-network.group = "systemd-network"; + systemd.additionalUpstreamSystemUnits = [ "systemd-networkd.service" "systemd-networkd-wait-online.service" ]; diff --git a/nixos/modules/system/boot/plymouth.nix b/nixos/modules/system/boot/plymouth.nix index adca3c3f66e..23fce22366d 100644 --- a/nixos/modules/system/boot/plymouth.nix +++ b/nixos/modules/system/boot/plymouth.nix @@ -25,6 +25,7 @@ let [Daemon] ShowDelay=0 Theme=${cfg.theme} + ${cfg.extraConfig} ''; in @@ -65,6 +66,15 @@ in ''; }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Literal string to append to <literal>configFile</literal> + and the config file generated by the plymouth module. + ''; + }; + }; }; diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 3ea96f8e464..da61c64faf8 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -136,6 +136,8 @@ in } ]; + users.users.resolved.group = "systemd-resolve"; + systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" ]; diff --git a/nixos/modules/system/boot/systemd-nspawn.nix b/nixos/modules/system/boot/systemd-nspawn.nix index 3ddd45b1348..1e2435e36f0 100644 --- a/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixos/modules/system/boot/systemd-nspawn.nix @@ -126,7 +126,7 @@ in { systemd.services."systemd-nspawn@".serviceConfig.ExecStart = [ "" # deliberately empty. signals systemd to override the ExecStart # Only difference between upstream is that we do not pass the -U flag - "${pkgs.systemd}/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%i" + "${config.systemd.package}/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%i" ]; } ]; diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index c1f2c98afcd..bee21f1a8f3 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -24,7 +24,7 @@ in rec { in if isList (head defs'') then concatLists defs'' - else mergeOneOption loc defs'; + else mergeEqualOption loc defs'; }; sharedOptions = { diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 33b350902a1..7951dcc816a 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -63,6 +63,7 @@ let "systemd-logind.service" "autovt@.service" "systemd-user-sessions.service" + "dbus-org.freedesktop.import1.service" "dbus-org.freedesktop.machine1.service" "user@.service" "user-runtime-dir@.service" @@ -145,6 +146,7 @@ let "user.slice" "machine.slice" "machines.target" + "systemd-importd.service" "systemd-machined.service" "systemd-nspawn@.service" @@ -406,7 +408,6 @@ let in { - ###### interface options = { @@ -1004,5 +1005,7 @@ in [ (mkRenamedOptionModule [ "boot" "systemd" "sockets" ] [ "systemd" "sockets" ]) (mkRenamedOptionModule [ "boot" "systemd" "targets" ] [ "systemd" "targets" ]) (mkRenamedOptionModule [ "boot" "systemd" "services" ] [ "systemd" "services" ]) + (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ]) + (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") ]; } diff --git a/nixos/modules/system/boot/timesyncd.nix b/nixos/modules/system/boot/timesyncd.nix index 8282cdd6f3a..9e2f36ca01f 100644 --- a/nixos/modules/system/boot/timesyncd.nix +++ b/nixos/modules/system/boot/timesyncd.nix @@ -20,6 +20,18 @@ with lib; The set of NTP servers from which to synchronise. ''; }; + extraConfig = mkOption { + default = ""; + type = types.lines; + example = '' + PollIntervalMaxSec=180 + ''; + description = '' + Extra config options for systemd-timesyncd. See + <link xlink:href="https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html"> + timesyncd.conf(5)</link> for available options. + ''; + }; }; }; @@ -35,9 +47,13 @@ with lib; environment.etc."systemd/timesyncd.conf".text = '' [Time] NTP=${concatStringsSep " " config.services.timesyncd.servers} + ${config.services.timesyncd.extraConfig} ''; - users.users.systemd-timesync.uid = config.ids.uids.systemd-timesync; + users.users.systemd-timesync = { + uid = config.ids.uids.systemd-timesync; + group = "systemd-timesync"; + }; users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync; system.activationScripts.systemd-timesyncd-migration = mkIf (versionOlder config.system.stateVersion "19.09") '' diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index e0e8bb1f03d..ddcc0ed8f5a 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -25,6 +25,9 @@ let ''; nfsConfFile = pkgs.writeText "nfs.conf" cfg.extraConfig; + requestKeyConfFile = pkgs.writeText "request-key.conf" '' + create id_resolver * * ${pkgs.nfs-utils}/bin/nfsidmap -t 600 %k %d + ''; cfg = config.services.nfs; @@ -57,9 +60,12 @@ in systemd.packages = [ pkgs.nfs-utils ]; + environment.systemPackages = [ pkgs.keyutils ]; + environment.etc = { "idmapd.conf".source = idmapdConfFile; "nfs.conf".source = nfsConfFile; + "request-key.conf".source = requestKeyConfFile; }; systemd.services.nfs-blkmap = diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index fe11917c609..d14ba98ec48 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -12,6 +12,7 @@ let cfgSnapFlags = cfgSnapshots.flags; cfgScrub = config.services.zfs.autoScrub; cfgTrim = config.services.zfs.trim; + cfgZED = config.services.zfs.zed; inInitrd = any (fs: fs == "zfs") config.boot.initrd.supportedFilesystems; inSystem = any (fs: fs == "zfs") config.boot.supportedFilesystems; @@ -87,10 +88,25 @@ let } ''; + zedConf = generators.toKeyValue { + mkKeyValue = generators.mkKeyValueDefault { + mkValueString = v: + if isInt v then toString v + else if isString v then "\"${v}\"" + else if true == v then "1" + else if false == v then "0" + else if isList v then "\"" + (concatStringsSep " " v) + "\"" + else err "this value is" (toString v); + } "="; + } cfgZED.settings; in { + imports = [ + (mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.") + ]; + ###### interface options = { @@ -312,6 +328,32 @@ in ''; }; }; + + services.zfs.zed.settings = mkOption { + type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); + example = literalExample '' + { + ZED_DEBUG_LOG = "/tmp/zed.debug.log"; + + ZED_EMAIL_ADDR = [ "root" ]; + ZED_EMAIL_PROG = "mail"; + ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@"; + + ZED_NOTIFY_INTERVAL_SECS = 3600; + ZED_NOTIFY_VERBOSE = false; + + ZED_USE_ENCLOSURE_LEDS = true; + ZED_SCRUB_AFTER_RESILVER = false; + } + ''; + description = '' + ZFS Event Daemon /etc/zfs/zed.d/zed.rc content + + See + <citerefentry><refentrytitle>zed</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for details on ZED and the scripts in /etc/zfs/zed.d to find the possible variables + ''; + }; }; ###### implementation @@ -389,8 +431,32 @@ in zfsSupport = true; }; - environment.etc."zfs/zed.d".source = "${packages.zfsUser}/etc/zfs/zed.d/"; - environment.etc."zfs/zpool.d".source = "${packages.zfsUser}/etc/zfs/zpool.d/"; + services.zfs.zed.settings = { + ZED_EMAIL_PROG = mkDefault "${pkgs.mailutils}/bin/mail"; + }; + + environment.etc = genAttrs + (map + (file: "zfs/zed.d/${file}") + [ + "all-syslog.sh" + "pool_import-led.sh" + "resilver_finish-start-scrub.sh" + "statechange-led.sh" + "vdev_attach-led.sh" + "zed-functions.sh" + "data-notify.sh" + "resilver_finish-notify.sh" + "scrub_finish-notify.sh" + "statechange-notify.sh" + "vdev_clear-led.sh" + ] + ) + (file: { source = "${packages.zfsUser}/etc/${file}"; }) + // { + "zfs/zed.d/zed.rc".text = zedConf; + "zfs/zpool.d".source = "${packages.zfsUser}/etc/zfs/zpool.d/"; + }; system.fsPackages = [ packages.zfsUser ]; # XXX: needed? zfs doesn't have (need) a fsck environment.systemPackages = [ packages.zfsUser ] diff --git a/nixos/modules/tasks/kbd.nix b/nixos/modules/tasks/kbd.nix deleted file mode 100644 index c6ba998b19e..00000000000 --- a/nixos/modules/tasks/kbd.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - makeColor = n: value: "COLOR_${toString n}=${value}"; - makeColorCS = - let positions = [ "0" "1" "2" "3" "4" "5" "6" "7" "8" "9" "A" "B" "C" "D" "E" "F" ]; - in n: value: "\\033]P${elemAt positions (n - 1)}${value}"; - colors = concatImapStringsSep "\n" makeColor config.i18n.consoleColors; - - isUnicode = hasSuffix "UTF-8" (toUpper config.i18n.defaultLocale); - - optimizedKeymap = pkgs.runCommand "keymap" { - nativeBuildInputs = [ pkgs.buildPackages.kbd ]; - LOADKEYS_KEYMAP_PATH = "${kbdEnv}/share/keymaps/**"; - preferLocalBuild = true; - } '' - loadkeys -b ${optionalString isUnicode "-u"} "${config.i18n.consoleKeyMap}" > $out - ''; - - # Sadly, systemd-vconsole-setup doesn't support binary keymaps. - vconsoleConf = pkgs.writeText "vconsole.conf" '' - KEYMAP=${config.i18n.consoleKeyMap} - FONT=${config.i18n.consoleFont} - ${colors} - ''; - - kbdEnv = pkgs.buildEnv { - name = "kbd-env"; - paths = [ pkgs.kbd ] ++ config.i18n.consolePackages; - pathsToLink = [ "/share/consolefonts" "/share/consoletrans" "/share/keymaps" "/share/unimaps" ]; - }; - - setVconsole = !config.boot.isContainer; -in - -{ - ###### interface - - options = { - - # most options are defined in i18n.nix - - # FIXME: still needed? - boot.extraTTYs = mkOption { - default = []; - type = types.listOf types.str; - example = ["tty8" "tty9"]; - description = '' - Tty (virtual console) devices, in addition to the consoles on - which mingetty and syslogd run, that must be initialised. - Only useful if you have some program that you want to run on - some fixed console. For example, the NixOS installation CD - opens the manual in a web browser on console 7, so it sets - <option>boot.extraTTYs</option> to <literal>["tty7"]</literal>. - ''; - }; - - boot.earlyVconsoleSetup = mkOption { - default = false; - type = types.bool; - description = '' - Enable setting font as early as possible (in initrd). - ''; - }; - - }; - - - ###### implementation - - config = mkMerge [ - (mkIf (!setVconsole) { - systemd.services.systemd-vconsole-setup.enable = false; - }) - - (mkIf setVconsole (mkMerge [ - { environment.systemPackages = [ pkgs.kbd ]; - - # Let systemd-vconsole-setup.service do the work of setting up the - # virtual consoles. - environment.etc."vconsole.conf".source = vconsoleConf; - # Provide kbd with additional packages. - environment.etc.kbd.source = "${kbdEnv}/share"; - - boot.initrd.preLVMCommands = mkBefore '' - kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console - printf "\033%%${if isUnicode then "G" else "@"}" >> /dev/console - loadkmap < ${optimizedKeymap} - - ${optionalString config.boot.earlyVconsoleSetup '' - setfont -C /dev/console $extraUtils/share/consolefonts/font.psf - ''} - - ${concatImapStringsSep "\n" (n: color: '' - printf "${makeColorCS n color}" >> /dev/console - '') config.i18n.consoleColors} - ''; - - systemd.services.systemd-vconsole-setup = - { before = [ "display-manager.service" ]; - after = [ "systemd-udev-settle.service" ]; - restartTriggers = [ vconsoleConf kbdEnv ]; - }; - } - - (mkIf config.boot.earlyVconsoleSetup { - boot.initrd.extraUtilsCommands = '' - mkdir -p $out/share/consolefonts - ${if substring 0 1 config.i18n.consoleFont == "/" then '' - font="${config.i18n.consoleFont}" - '' else '' - font="$(echo ${kbdEnv}/share/consolefonts/${config.i18n.consoleFont}.*)" - ''} - if [[ $font == *.gz ]]; then - gzip -cd $font > $out/share/consolefonts/font.psf - else - cp -L $font $out/share/consolefonts/font.psf - fi - ''; - }) - ])) - ]; - -} diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 9ffa1089ee6..e25dc0c0b39 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -60,8 +60,8 @@ in let domains = cfg.search ++ (optional (cfg.domain != null) cfg.domain); genericNetwork = override: - let gateway = optional (cfg.defaultGateway != null) cfg.defaultGateway.address - ++ optional (cfg.defaultGateway6 != null) cfg.defaultGateway6.address; + let gateway = optional (cfg.defaultGateway != null && (cfg.defaultGateway.address or "") != "") cfg.defaultGateway.address + ++ optional (cfg.defaultGateway6 != null && (cfg.defaultGateway6.address or "") != "") cfg.defaultGateway6.address; in optionalAttrs (gateway != [ ]) { routes = override [ { diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 1a11d9ce7c2..1baeab53b0c 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -15,7 +15,7 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; # # One particular example are the boot tests where we want instrumentation # within the images but not other stuff like setting up 9p filesystems. - options.virtualisation.qemu.program = mkOption { type = types.path; }; + options.virtualisation.qemu = { }; config = { diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index f7a37d8c9f3..6ff6bdd30c2 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -10,6 +10,7 @@ with lib; nix.optimise.automatic = mkDefault false; # the store is host managed services.udisks2.enable = mkDefault false; powerManagement.enable = mkDefault false; + documentation.nixos.enable = mkDefault false; networking.useHostResolvConf = mkDefault true; diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 691ee2c136e..09678ce9ea7 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -149,7 +149,7 @@ let --setenv PATH="$PATH" \ ${optionalString cfg.ephemeral "--ephemeral"} \ ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then - ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else "" + ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' else "" } \ ${if cfg.tmpfs != null && cfg.tmpfs != [] then ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else "" diff --git a/nixos/modules/virtualisation/digital-ocean-config.nix b/nixos/modules/virtualisation/digital-ocean-config.nix new file mode 100644 index 00000000000..88cb0cd450e --- /dev/null +++ b/nixos/modules/virtualisation/digital-ocean-config.nix @@ -0,0 +1,197 @@ +{ config, pkgs, lib, modulesPath, ... }: +with lib; +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/virtualisation/digital-ocean-init.nix") + ]; + options.virtualisation.digitalOcean = with types; { + setRootPassword = mkOption { + type = bool; + default = false; + example = true; + description = "Whether to set the root password from the Digital Ocean metadata"; + }; + setSshKeys = mkOption { + type = bool; + default = true; + example = true; + description = "Whether to fetch ssh keys from Digital Ocean"; + }; + seedEntropy = mkOption { + type = bool; + default = true; + example = true; + description = "Whether to run the kernel RNG entropy seeding script from the Digital Ocean vendor data"; + }; + }; + config = + let + cfg = config.virtualisation.digitalOcean; + hostName = config.networking.hostName; + doMetadataFile = "/run/do-metadata/v1.json"; + in mkMerge [{ + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + boot = { + growPartition = true; + kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; + initrd.kernelModules = [ "virtio_scsi" ]; + kernelModules = [ "virtio_pci" "virtio_net" ]; + loader = { + grub.device = "/dev/vda"; + timeout = 0; + grub.configurationLimit = 0; + }; + }; + services.openssh = { + enable = mkDefault true; + passwordAuthentication = mkDefault false; + }; + services.do-agent.enable = mkDefault true; + networking = { + hostName = mkDefault ""; # use Digital Ocean metadata server + }; + + /* Check for and wait for the metadata server to become reachable. + * This serves as a dependency for all the other metadata services. */ + systemd.services.digitalocean-metadata = { + path = [ pkgs.curl ]; + description = "Get host metadata provided by Digitalocean"; + script = '' + set -eu + DO_DELAY_ATTEMPTS=0 + while ! curl -fsSL -o $RUNTIME_DIRECTORY/v1.json http://169.254.169.254/metadata/v1.json; do + DO_DELAY_ATTEMPTS=$((DO_DELAY_ATTEMPTS + 1)) + if (( $DO_DELAY_ATTEMPTS >= $DO_DELAY_ATTEMPTS_MAX )); then + echo "giving up" + exit 1 + fi + + echo "metadata unavailable, trying again in 1s..." + sleep 1 + done + chmod 600 $RUNTIME_DIRECTORY/v1.json + ''; + environment = { + DO_DELAY_ATTEMPTS_MAX = "10"; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + RuntimeDirectory = "do-metadata"; + RuntimeDirectoryPreserve = "yes"; + }; + unitConfig = { + ConditionPathExists = "!${doMetadataFile}"; + After = [ "network-pre.target" ] ++ + optional config.networking.dhcpcd.enable "dhcpcd.service" ++ + optional config.systemd.network.enable "systemd-networkd.service"; + }; + }; + + /* Fetch the root password from the digital ocean metadata. + * There is no specific route for this, so we use jq to get + * it from the One Big JSON metadata blob */ + systemd.services.digitalocean-set-root-password = mkIf cfg.setRootPassword { + path = [ pkgs.shadow pkgs.jq ]; + description = "Set root password provided by Digitalocean"; + wantedBy = [ "multi-user.target" ]; + script = '' + set -eo pipefail + ROOT_PASSWORD=$(jq -er '.auth_key' ${doMetadataFile}) + echo "root:$ROOT_PASSWORD" | chpasswd + mkdir -p /etc/do-metadata/set-root-password + ''; + unitConfig = { + ConditionPathExists = "!/etc/do-metadata/set-root-password"; + Before = optional config.services.openssh.enable "sshd.service"; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + /* Set the hostname from Digital Ocean, unless the user configured it in + * the NixOS configuration. The cached metadata file isn't used here + * because the hostname is a mutable part of the droplet. */ + systemd.services.digitalocean-set-hostname = mkIf (hostName == "") { + path = [ pkgs.curl pkgs.nettools ]; + description = "Set hostname provided by Digitalocean"; + wantedBy = [ "network.target" ]; + script = '' + set -e + DIGITALOCEAN_HOSTNAME=$(curl -fsSL http://169.254.169.254/metadata/v1/hostname) + hostname "$DIGITALOCEAN_HOSTNAME" + if [[ ! -e /etc/hostname || -w /etc/hostname ]]; then + printf "%s\n" "$DIGITALOCEAN_HOSTNAME" > /etc/hostname + fi + ''; + unitConfig = { + Before = [ "network.target" ]; + After = [ "digitalocean-metadata.service" ]; + Wants = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + /* Fetch the ssh keys for root from Digital Ocean */ + systemd.services.digitalocean-ssh-keys = mkIf cfg.setSshKeys { + description = "Set root ssh keys provided by Digital Ocean"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.jq ]; + script = '' + set -e + mkdir -m 0700 -p /root/.ssh + jq -er '.public_keys[]' ${doMetadataFile} > /root/.ssh/authorized_keys + chmod 600 /root/.ssh/authorized_keys + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + unitConfig = { + ConditionPathExists = "!/root/.ssh/authorized_keys"; + Before = optional config.services.openssh.enable "sshd.service"; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + }; + + /* Initialize the RNG by running the entropy-seed script from the + * Digital Ocean metadata + */ + systemd.services.digitalocean-entropy-seed = mkIf cfg.seedEntropy { + description = "Run the kernel RNG entropy seeding script from the Digital Ocean vendor data"; + wantedBy = [ "network.target" ]; + path = [ pkgs.jq pkgs.mpack ]; + script = '' + set -eo pipefail + TEMPDIR=$(mktemp -d) + jq -er '.vendor_data' ${doMetadataFile} | munpack -tC $TEMPDIR + ENTROPY_SEED=$(grep -rl "DigitalOcean Entropy Seed script" $TEMPDIR) + ${pkgs.runtimeShell} $ENTROPY_SEED + rm -rf $TEMPDIR + ''; + unitConfig = { + Before = [ "network.target" ]; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + } + ]; + meta.maintainers = with maintainers; [ arianvp eamsden ]; +} + diff --git a/nixos/modules/virtualisation/digital-ocean-image.nix b/nixos/modules/virtualisation/digital-ocean-image.nix new file mode 100644 index 00000000000..b582e235d43 --- /dev/null +++ b/nixos/modules/virtualisation/digital-ocean-image.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.virtualisation.digitalOceanImage; +in +{ + + imports = [ ./digital-ocean-config.nix ]; + + options = { + virtualisation.digitalOceanImage.diskSize = mkOption { + type = with types; int; + default = 4096; + description = '' + Size of disk image. Unit is MB. + ''; + }; + + virtualisation.digitalOceanImage.configFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + A path to a configuration file which will be placed at + <literal>/etc/nixos/configuration.nix</literal> and be used when switching + to a new configuration. If set to <literal>null</literal>, a default + configuration is used that imports + <literal>(modulesPath + "/virtualisation/digital-ocean-config.nix")</literal>. + ''; + }; + + virtualisation.digitalOceanImage.compressionMethod = mkOption { + type = types.enum [ "gzip" "bzip2" ]; + default = "gzip"; + example = "bzip2"; + description = '' + Disk image compression method. Choose bzip2 to generate smaller images that + take longer to generate but will consume less metered storage space on your + Digital Ocean account. + ''; + }; + }; + + #### implementation + config = { + + system.build.digitalOceanImage = import ../../lib/make-disk-image.nix { + name = "digital-ocean-image"; + format = "qcow2"; + postVM = let + compress = { + "gzip" = "${pkgs.gzip}/bin/gzip"; + "bzip2" = "${pkgs.bzip2}/bin/bzip2"; + }.${cfg.compressionMethod}; + in '' + ${compress} $diskImage + ''; + configFile = if cfg.configFile == null + then config.virtualisation.digitalOcean.defaultConfigFile + else cfg.configFile; + inherit (cfg) diskSize; + inherit config lib pkgs; + }; + + }; + + meta.maintainers = with maintainers; [ arianvp eamsden ]; + +} diff --git a/nixos/modules/virtualisation/digital-ocean-init.nix b/nixos/modules/virtualisation/digital-ocean-init.nix new file mode 100644 index 00000000000..02f4de009fa --- /dev/null +++ b/nixos/modules/virtualisation/digital-ocean-init.nix @@ -0,0 +1,95 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.virtualisation.digitalOcean; + defaultConfigFile = pkgs.writeText "digitalocean-configuration.nix" '' + { modulesPath, lib, ... }: + { + imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ + (modulesPath + "/virtualisation/digital-ocean-config.nix") + ]; + } + ''; +in { + options.virtualisation.digitalOcean.rebuildFromUserData = mkOption { + type = types.bool; + default = true; + example = true; + description = "Whether to reconfigure the system from Digital Ocean user data"; + }; + options.virtualisation.digitalOcean.defaultConfigFile = mkOption { + type = types.path; + default = defaultConfigFile; + defaultText = '' + The default configuration imports user-data if applicable and + <literal>(modulesPath + "/virtualisation/digital-ocean-config.nix")</literal>. + ''; + description = '' + A path to a configuration file which will be placed at + <literal>/etc/nixos/configuration.nix</literal> and be used when switching to + a new configuration. + ''; + }; + + config = { + systemd.services.digitalocean-init = mkIf cfg.rebuildFromUserData { + description = "Reconfigure the system from Digital Ocean userdata on startup"; + wantedBy = [ "network-online.target" ]; + unitConfig = { + ConditionPathExists = "!/etc/nixos/do-userdata.nix"; + After = [ "digitalocean-metadata.service" "network-online.target" ]; + Requires = [ "digitalocean-metadata.service" ]; + X-StopOnRemoval = false; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + restartIfChanged = false; + path = [ pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.systemd config.nix.package config.system.build.nixos-rebuild ]; + environment = { + HOME = "/root"; + NIX_PATH = concatStringsSep ":" [ + "/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + }; + script = '' + set -e + echo "attempting to fetch configuration from Digital Ocean user data..." + userData=$(mktemp) + if jq -er '.user_data' /run/do-metadata/v1.json > $userData; then + # If the user-data looks like it could be a nix expression, + # copy it over. Also, look for a magic three-hash comment and set + # that as the channel. + if nix-instantiate --parse $userData > /dev/null; then + channels="$(grep '^###' "$userData" | sed 's|###\s*||')" + printf "%s" "$channels" | while read channel; do + echo "writing channel: $channel" + done + + if [[ -n "$channels" ]]; then + printf "%s" "$channels" > /root/.nix-channels + nix-channel --update + fi + + echo "setting configuration from Digital Ocean user data" + cp "$userData" /etc/nixos/do-userdata.nix + if [[ ! -e /etc/nixos/configuration.nix ]]; then + install -m0644 ${cfg.defaultConfigFile} /etc/nixos/configuration.nix + fi + else + echo "user data does not appear to be a Nix expression; ignoring" + exit + fi + + nixos-rebuild switch + else + echo "no user data is available" + fi + ''; + }; + }; + meta.maintainers = with maintainers; [ arianvp eamsden ]; +} diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index 82451787e8a..62912535018 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -7,6 +7,10 @@ with lib; { + imports = [ + (mkRemovedOptionModule [ "ec2" "metadata" ] "") + ]; + config = { systemd.services.apply-ec2-data = diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 16b79d86919..52d852894ce 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -28,6 +28,11 @@ let in { + imports = [ + (mkRemovedOptionModule [ "virtualisation" "libvirtd" "enableKVM" ] + "Set the option `virtualisation.libvirtd.qemuPackage' instead.") + ]; + ###### interface options.virtualisation.libvirtd = { @@ -146,7 +151,8 @@ in { # this file is expected in /etc/qemu and not sysconfdir (/var/lib) etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: "allow ${e}") cfg.allowedBridges; - systemPackages = with pkgs; [ libvirt libressl.nc cfg.qemuPackage ]; + systemPackages = with pkgs; [ libvirt libressl.nc iptables cfg.qemuPackage ]; + etc.ethertypes.source = "${pkgs.iptables}/etc/ethertypes"; }; boot.kernelModules = [ "tun" ]; diff --git a/nixos/modules/virtualisation/lxc.nix b/nixos/modules/virtualisation/lxc.nix index 9b5adaf0824..f484d5ee59a 100644 --- a/nixos/modules/virtualisation/lxc.nix +++ b/nixos/modules/virtualisation/lxc.nix @@ -58,7 +58,7 @@ in '' This is the config file for managing unprivileged user network administration access in LXC. See <citerefentry> - <refentrytitle>lxc-user-net</refentrytitle><manvolnum>5</manvolnum> + <refentrytitle>lxc-usernet</refentrytitle><manvolnum>5</manvolnum> </citerefentry>. ''; }; diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 505c11abd20..b4934a86cf5 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -35,6 +35,18 @@ in with nixos. ''; }; + recommendedSysctlSettings = mkOption { + type = types.bool; + default = false; + description = '' + enables various settings to avoid common pitfalls when + running containers requiring many file operations. + Fixes errors like "Too many open files" or + "neighbour: ndisc_cache: neighbor table overflow!". + See https://lxd.readthedocs.io/en/latest/production-setup/ + for details. + ''; + }; }; }; @@ -69,8 +81,11 @@ in ExecStart = "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd"; Type = "simple"; KillMode = "process"; # when stopping, leave the containers alone + LimitMEMLOCK = "infinity"; + LimitNOFILE = "1048576"; + LimitNPROC = "infinity"; + TasksMax = "infinity"; }; - }; users.groups.lxd.gid = config.ids.gids.lxd; @@ -79,5 +94,16 @@ in subUidRanges = [ { startUid = 1000000; count = 65536; } ]; subGidRanges = [ { startGid = 1000000; count = 65536; } ]; }; + + boot.kernel.sysctl = mkIf cfg.recommendedSysctlSettings { + "fs.inotify.max_queued_events" = 1048576; + "fs.inotify.max_user_instances" = 1048576; + "fs.inotify.max_user_watches" = 1048576; + "vm.max_map_count" = 262144; + "kernel.dmesg_restrict" = 1; + "net.ipv4.neigh.default.gc_thresh3" = 8192; + "net.ipv6.neigh.default.gc_thresh3" = 8192; + "kernel.keys.maxkeys" = 2000; + }; }; } diff --git a/nixos/modules/virtualisation/openvswitch.nix b/nixos/modules/virtualisation/openvswitch.nix index edec3740230..6b8ad83661f 100644 --- a/nixos/modules/virtualisation/openvswitch.nix +++ b/nixos/modules/virtualisation/openvswitch.nix @@ -42,6 +42,9 @@ in { default = false; description = '' Whether to start racoon service for openvswitch. + Supported only if openvswitch version is less than 2.6.0. + Use <literal>virtualisation.vswitch.package = pkgs.openvswitch-lts</literal> + for a version that supports ipsec over GRE. ''; }; }; @@ -89,6 +92,13 @@ in { "${cfg.package}/share/openvswitch/vswitch.ovsschema" fi chmod -R +w /var/db/openvswitch + if ${cfg.package}/bin/ovsdb-tool needs-conversion /var/db/openvswitch/conf.db | grep -q "yes" + then + echo "Performing database upgrade" + ${cfg.package}/bin/ovsdb-tool convert /var/db/openvswitch/conf.db + else + echo "Database already up to date" + fi ''; serviceConfig = { ExecStart = @@ -133,7 +143,7 @@ in { }; } - (mkIf cfg.ipsec { + (mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) { services.racoon.enable = true; services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; @@ -172,5 +182,4 @@ in { ''; }; })])); - } diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index e313d2b411b..31d332e9f07 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -620,7 +620,7 @@ in # Wireless won't work in the VM. networking.wireless.enable = mkVMOverride false; - networking.connman.enable = mkVMOverride false; + services.connman.enable = mkVMOverride false; # Speed up booting by not waiting for ARP. networking.dhcpcd.extraConfig = "noarp"; diff --git a/nixos/modules/virtualisation/vmware-guest.nix b/nixos/modules/virtualisation/vmware-guest.nix index f418f849759..962a9059ea4 100644 --- a/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixos/modules/virtualisation/vmware-guest.nix @@ -8,6 +8,10 @@ let xf86inputvmmouse = pkgs.xorg.xf86inputvmmouse; in { + imports = [ + (mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ]) + ]; + options.virtualisation.vmware.guest = { enable = mkEnableOption "VMWare Guest Support"; headless = mkOption { diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index 06d5c63476f..6fd54c52758 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -9,6 +9,11 @@ let in { + imports = [ + (mkRemovedOptionModule [ "virtualisation" "xen" "qemu" ] "You don't need this option anymore, it will work without it.") + (mkRenamedOptionModule [ "virtualisation" "xen" "qemu-package" ] [ "virtualisation" "xen" "package-qemu" ]) + ]; + ###### interface options = { |